// Computer Program Listing Appendix Under 37 CFR 1.52(e) 
// DllEntry. cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File DllEntry . cpp : 

Entry point from the OS 

A normal DLL implicitly uses C RTL function _DllMainCRTStartup, but 
this leaves the static object constructors and destructors without 
SEH protection. Evidently, Win2K (and probably other OSes) ignores 
the SetUnhandledExceptionFilter setting inside DllMain. We compen- 
sate by putting the C RTL ' s function inside a SEH block. 

Another reason not to use an unhandled exception filter is that they 
pop up in debuggers, unless the debugger is specially configured to 
ignore, and this would be a nuisance for our developers. 

*/ 

// Windows header files 

# define W I N 3 2 LE AN_AND_ME AN 

f include <windows.h> 

// Application header files 

tdefine NOT INCLUDE FASTSTR 

^include <VSInit.h> 
#include " SecurePrivate . h" 
// External functions 
extern "C" { 

BOOL WINAPI _DllMainCRTStartup ( HANDLE hDHHandle 

, DWORD dwReason 
, LPVOID lpReserved 

) ; 

} 

/* function DllEntry: 
DLL entry point 

*/ 

extern "C" 

BOOL WINAPI ZDllEntry ( HANDLE hDllHandle, DWORD dwReason, LPVOID lpReser 

ved) 

{ 

BOOL fRetCode ; 
try { 

// call the C RTL ' s DllMain, which does some work, then calls our 
// application's DllMain 

fRetCode = _DllMainCRTStartup ( hDllHandle, dwReason, lpReserved) ; 
I // try 

except ( Def aultExcept ionFilterEx ( PEXCEPTION_POINTERS ( _exception_i 

nf o ( ) ) ) ) { 

// return code, in case the filter returns EXCEPT I ON_EXECUTE_HANDLER 
fRetCode = FALSE ; 

// force the linker to include our self -validation code 
// This function itself does nothing. The file containing it has 
// a static initializer that raises an exception that is handled 
// by the self -validation code in VSInit.dll. 
TellLinkerToIncludeSelfValidat ion ( ) ; 

} // except 

// return to the caller 

return fRetCode ; 
} // DllEntry 
// SecurePrivate . h 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File SecurePrivate . h : 

Internal definitions for SecureLink . lib functions 

*/ 

#pragma once 

// Windows header files 

#define W I N 3 2_LE AN_AND_ME AN 

f include <windows.h> 

// Data types 

typedef bool ( * PFNS TAT I C INITIALIZER) () ; 
// Global functions 
extern "C" { 

void cdecl SecureStat icLink ( ) ; 



void cdecl TellLinkerToIncludeSelf Validat ion ( ) ; 

} // extern "C" 

// StaticLinks . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File StaticLinks . cpp : 

Function for a bootstrap patching process 

*/ 

// Windows header files 

fdefine W I N3 2_LE AN_AND_ME AN 

f include <windows.h> 

// Application header files 

#include <VSInit . h> 

f include " SecurePrivate . h" 

/* function SecureStat icLink : 

Placeholder for some very obscure processing 

The static import funnels call here. During self -validat ion, a 
function in VSInit patches the self-referential jump here to jump 
to a function in VSInit instead. The first call from a funnel goes 
to that function, which in turn back patches the funnel to change 
a constant pushed and to call the static link resolver, also in 
VSInit. 

This function is linked into every self -validat ing module because 
of a reference in ValidateSelf ( ) . If the module has no secure 
static links, this code is a small, harmless appendage. 

*/ 

extern "C" declspec ( naked) void cdecl SecureStat icLink ( ) 

{ 

// we emit a 5-byte jump to the next instruction 

// Self -validat ion changes this code to a jump to a function in 
// VSInit. 

asm emit 0xe9 // jump ahead, until patched 

asm emit 0x0 0 

asm emit 0x0 0 

asm emit 0x0 0 

asm emit 0x0 0 

RaiseException ( ERROR_SECURE_NO_PATCH, EXCEP T I ON_NONCONT INUABLE , 0, 0) 

} 

/ / ensure the self -validat ion code is linked, so that this code is 

// patched before it is executed 

TellLinkerToIncludeSelfValidation ( ) ; 
} // SecureStat icLink 
// ValidateSelf . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File ValidateSelf: 

Call the self-validation function in VSInit.dll 

*/ 

// Windows header files 

#define W I N 3 2 LE AN_AND_ME AN 

tinclude <windows.h> 

// Application header files 

#include <VSInit.h> 

finclude " SecurePrivate . h" 

// Specify the initialization order 

// A ZA function may call a secure import in an initializer. We must 
// therefore ensure our static objects are constructed first, 
fpragma warning ( disable : 4073) 
fpragma init_seg ( lib) 
// Static initializer 
static bool ValidateSelf ( ) ; 

static bool flnitialized = ValidateSelf ( ) ; 
/* function TellLinkerToIncludeSelfValidat ion : 
Validate this module 

This function does nothing, but referencing it causes the linker 
to bring in this file, which has a static initializer that 
initiates self-validation in the lib group. Self-validating DLLs 
call this function from their custom DllEntry function. EXEs can 
call it from somewhere in their code, or they can specify the 
function name in an /include clause on the linker command line. 



The code that actually performs self-validation is in VSInit.dll. 

*/ 

declspec ( naked) 

void cdecl TellLinkerToIncludeSelfValidat ion ( ) 

{ 

} // TellLinkerToIncludeSelfValidation 
// All functions below are private to this file 
/* function ValidateSelf : 
Perform self -validation 

The function does not return if validation fails. 

*/ 

static bool ValidateSelf ( ) 
{ 

// perform self -validation 

// The validation is done by VSInit.dll, which gets control via a 
// continuable exception. 

// An attacker can NOP this call, but that will leave some important 
// control blocks uninitialized. The right place to attack is 
// function IsPEFileValid in VSInit.dll. 
VALIDATESELF valSelf ; 
try { 

valSelf .dwVersion = VALSELF_VERS I0N_1 ; 

valSelf .ElPInCaller = PVOID ( ValidateSelf) ; 

valSelf . dwAddrPatchResolveStatic = DWORD ( SecureStat icLink) ; 
DWORD dwArg = DWORD ( SvalSelf) ; 

RaiseException ( TRICKY SELF_VALIDATE , 0, 1, &dwArg) ; 

I // try 

except ( Def aultExcept ionFilterEx ( PEXCEPTION_POINTERS ( _exception_i 

nfo<)))) { 

} // except 

// successful return 

return true ; 
} // ValidateSelf 
// BackPatch . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File BackPatch . cpp : 

Validate an unambiguous instruction pattern, then patch an 
instruction, data location or register image as appropriate 

The call instruction can have several formats, which we order here 
by instruction length. By far the most common is the direct near 
call, E8 xx xx xx xx . Very few of these are emitted by the 
compiler. We do not attempt to identify intersegment calls or 
calls with instruction prefix overrides. 

To accommodate other patterns we have seen in this application, we 
chase a few instructions after the call, when necessary, but we 
limit the instructions we will decoded along the way. As new 
cases arise, reported to the log, we may expand this code. 
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DWORD 


PTR 
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FF 
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CALL 


DWORD 


PTR 


[ECX] 


FF 


12 


CALL 


DWORD 


PTR 


[EDX] 


FF 


13 


CALL 


DWORD 


PTR 


[EBX] 


FF 


16 


CALL 


DWORD 


PTR 


[ESI] 


FF 


17 


CALL 


DWORD 


PTR 


[EDI] 


FF 


DO 


CALL 


EAX 






FF 


Dl 


CALL 


ECX 






FF 


D2 


CALL 


EDX 






FF 


D3 


CALL 


EBX 






FF 


D4 


CALL 


ESP 






FF 


D5 


CALL 


EBP 






FF 


D6 


CALL 


ESI 






FF 


D7 


CALL 


EDI 






FF 


14 24 


CALL 


DWORD 


PTR 


[ESP] 


FF 


55 xx 


CALL 


DWORD 


PTR 


[EBP] 


FF 


5 0 xx 


CALL 


DWORD 


PTR 


[EAX+short] 


FF 


51 xx 


CALL 


DWORD 


PTR 


[ECX+short ] 


FF 


52 xx 


CALL 


DWORD 


PTR 


[EDX+short] 


FF 


53 xx 


CALL 


DWORD 


PTR 


[EBX+short] 


FF 


55 xx 


CALL 


DWORD 


PTR 


[EBP+short ] 



Third most common, 



tie 



tie 



FF 
FF 
FF 
E8 
FF 
FF 
FF 
FF 
FF 
FF 

FF 
FF 
FF 



5 6 xx 
57 xx 

54 24 xx 

XX XX XX XX 

15 xx xx xx xx 

9 0 xx xx xx xx 

91 xx xx xx xx 

92 xx xx xx xx 

93 xx xx xx xx 
95 xx xx xx xx 



CALL DWORD PTR [ESI+short] 

CALL DWORD PTR [EDI+short] 

CALL DWORD PTR [ESP+short] 
CALL ElP-relative 

CALL DWORD PTR [Address] 

CALL DWORD PTR [EAX+long] 

CALL DWORD PTR [ECX+long] 

CALL DWORD PTR [EDX+long] 

CALL DWORD PTR [EBX+long] 

CALL DWORD PTR [EBP+long] 



Most common 
Second most common 



Third most common, 



96 
97 
94 
Jumps 
FF 20 



XX XX XX XX 
XX XX XX XX 

2 4 xx xx xx xx 



CALL DWORD PTR 
CALL DWORD PTR 
CALL DWORD PTR 



FF 
FF 
FF 
FF 
FF 



21 
22 
23 
26 
27 



FF E0 
FF El 
FF E2 
FF E3 
FF E4 
FF E5 
FF E6 
FF E7 
FF 
FF 
FF 
FF 
FF 
FF 
FF 
FF 
FF 
FF 
E9 
FF 
FF 
FF 



24 
65 
60 
61 
62 
63 
65 
66 
67 
64 
xx 
25 
AO 
Al 



FF A2 

FF A3 

FF A5 

FF A6 

FF A7 

FF A4 
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XX 
XX 
XX 

2 4 xx 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 

XX XX XX 



JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP EAX 

JMP ECX 

JMP EDX 

JMP EBX 

JMP ESP 

JMP EBP 

JMP ESI 

JMP EDI 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 

JMP DWORD PTR 



[ESI+long] 
[EDI+long] 
[esp+long] 

[EAX] 
[ECX] 
[EDX] 
[EBX] 
[ESI] 
[EDI] 



JMP ElP-relative 



xx 

XX 
XX 
XX 
XX 
XX 
XX 
XX 



2 4 xx xx xx xx 



ESP] 
EBP] 

EAX+short ] 
ECX+short ] 
EDX+short ] 
EBX+short ] 
EBP+short ] 
ESI+short] 
EDI+short] 
ESP+short] 



Address ] 

EAX+long] 

ECX+long] 

EDX+long] 

EBX+long] 

EBP+long] 

ESI+long] 

EDI+long] 

esp+long] 



Most common 
Second most common 



JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 
JMP DWORD PTR 

A short displacement is -128 through 127, encoded in twos complement 
form. A long displacement is a twos complement 32-bit number 
*/ 

// Pre-compiled header files, must come first 
finclude "VS Init_pch . h" 
#pragma hdrstop 
// Compiler header files 
#include <stdio.h> 
// Application header files 
#include "VSInit_int . h" 
// Data types 
typedef enum { 

INST_NONE = 0 

, CALL2_INDIR_EAX_ZERO = 201 
, CALL2_INDIR_ECX_ZERO 
, CALL2_INDIR_EDX_ZERO 
, CALL2_INDIR_EBX_ZERO 
, CALL2_INDIR_ESI_ZERO 



CALL2 


_INDIR_EDI_ZERO 


C AT.T.9 


D I R 


EAX 


C AT.T.? 


D IR 


ECX 


P AT.T.? 


D I R 


EDX 


C AT.T,? 


D IR 


EBX 


P AT.T.9 


D IR 


ESP 


C AT.T.? 


D IR 


EBP 


f 1 AT.T.? 


D IR 


ESI 


PALL? 


D IR 


ED I 


CALL 3 


ESP 


ZERO 


C ALT. "3 


EAX 


SHORT 


CALL 3 


ECX 


SHORT 


C AT.T. 3 


_EDX_ 


_SHORT 


CALL 3 


_EBX_ 


_SHORT 


r* AT.T. 3 


_EBP_ 


_SHORT 


CALL 3 


_ESI_ 


_SHORT 


C AT.T. 3 


_EDI_ 


_SHORT 


CALL 4 


_ESP_ 


_SHORT 




_EIP_ 


.RELATIVE 


JUMP 5 


_EIP_ 


.RELATIVE 


C AT.T. 6 


_D GROUP 


C ALT. 6 


_EAX_ 


_LONG 


C AT.T. 6 


_ECX_ 


_LONG 


CALL6_ 


_EDX_ 


_LONG 


CALL6_ 


_EBX_ 


_LONG 


CALL6_ 


_EBP_ 


_LONG 


CALL6_ 


_ESI_ 


_LONG 


CALL6_ 


_EDI_ 


_LONG 


JUMP 6_ 


_D GROUP 


CALL7_ 


_ESP_ 


_LONG 



= 301 



= 401 
= 501 

= 601 



// set only for special inst 

// address of current instru 

// address of where to patch 

// maximum instructions to d 



= 701 

} INST TYPE ; 

typedef struct { 

INST TYPE it ; 

ructions 

DWORD dwAddrlnst ; 
ct ion 

DWORD dwAddrPtch ; 
} PTCH_DATA, * P P T C H_D AT A ; 
// Constants 

const int nMaxDecodes = 4 ; 
ecode 

// Local functions 

static inline DWORD ComputeLong ( DWORD dwBase, LONG IDisplacement ) 
static inline DWORD ComputeShort ( DWORD dwBase, char cDisplacement ) 
static bool FollowTheCall ( DWORD dwAddrStub 

, P P T C H_D AT A ppd 

, int nStepsRemaining 

) ; 

static bool IsCaller2 ( DWORD, PCPUREGS, P P T C H_D AT A ppd) 

static bool IsCaller3 ( DWORD, PCPUREGS, P P T C H_D AT A ppd) 

static bool IsCaller4 ( DWORD, PCPUREGS, PPTCH_DATA ppd) 

static bool IsCaller5 ( DWORD, PCPUREGS, PPTCH DATA ppd) 

static bool IsCaller6( DWORD, PCPUREGS, 

static bool IsCaller7 ( DWORD, 



P P T C H DATA ppd) 

PCPUREGS, P P T C H DATA ppd) 



static void WarnNoPatch ( int nWarning, DWORD dwAddrRet, int nbrBytes) ; 
/* function BackPatch: 

Patch the caller of a static link stub 

Since each patch we apply is a single DWORD, we don't have to 
worry about yielding to another thread while a patch is half 
applied. Is this true even if the DWORD target straddles a 
page boundary? As of March 2 0 03 we are called under the 
protection of a per-process critical section. 

False positives on our code matches are possible, but extremely 
unlikely . 

Returns: true if we patched a code or data address that is likely 
to stay patched 
false if we were unable to patch, or if our patch is likely 
to fall off 



We are still fine tuning these return codes. The caller 
uses the return code to avoid the overhead of repeated 
calls to this function for the same calling address. 



*/ 

bool BackPatch ( DWORD dwAddrRet 

, DWORD dwAddrTargetNew 

, DWORD dwAddrStub 

, PCPUREGS pRegs 
) 



{ 



// adjust the ESP image 

// The value pushed in our funnel is 16 bytes less than the value 
// before the call to the stub. The four intervening pushes are 
// for the CALL instruction itself, the PUSH of the hash in the 
// stub, the push of the hint in the stub, and the CALL of the stub 
// to the funnel. See SecurePE . asm for the latter two instructions. 
// We don't need to restore this ESP image in the stack, since the 
// value is discarded by the caller's POPAD . We do need to be sure 
// we adjust the value only once, so that our calculations below are 
// correct. 
pRegs->ESP +=16; 

// look for call instructions of all different lengths 
// We check all possibilities in case of ambiguity. 
PTCH_DATA pd2 = { INST_NONE, dwAddrRet - 2 } 

PTCH DATA pd3 = { INST NONE, dwAddrRet - 3 } 

PTCH DATA pd4 = { INST NONE , dwAddrRet - 4 } 

PTCH DATA pd5 = { INST NONE, dwAddrRet - 5 } 

PTCH DATA pd6 = { INST NONE, dwAddrRet - 6 } 

PTCH DATA pd7 = { INST NONE, dwAddrRet - 7 } 

bool fFound2 = IsCaller2 ( dwAddrStub, pRegs, 
bool fFound3 = IsCaller3 ( dwAddrStub, pRegs, 
bool fFound4 = IsCaller4 ( dwAddrStub, pRegs, 
bool fFound5 = IsCaller5 ( dwAddrStub, pRegs, 
bool fFound6 = IsCaller6 ( dwAddrStub, pRegs, 
bool fFound7 = IsCaller7 ( dwAddrStub, pRegs, 
// ensure there is exactly one match 
int nbrMatches = 0 

, biggestMatch = 0 

} 

P P T C H DATA ppd ; 



&pd2) 
&pd3) 
&pd4) 
&pd5) 
&pd6) 
&pd7) 



if 


( fFound2) 


I 


ppd = 


&pd2 


r 


nbrMatches++ 


} 


biggestMatch = 


2 


if 


( fFound3) 


{ 


ppd = 


&pd3 


r 


nbrMatches++ 


r 


biggestMatch = 


3 


if 


( fFound4) 


{ 


ppd = 


&pd4 


r 


nbrMatches++ 


r 


biggestMatch = 


4 


if 


( fFound5) 


{ 


ppd = 


&pd5 


r 


nbrMatches++ 


r 


biggestMatch = 


5 


if 


( fFound6) 


{ 


ppd = 


&pd6 


r 


nbrMatches++ 


r 


biggestMatch = 


6 


if 


( fFound7) 


{ 


ppd = 


&pd7 


r 


nbrMatches++ 


r 


biggestMatch = 


7 


if 


( nbrMatches 




== 0) 


{ 













WarnNoPatch ( WARNING_SECURE_BACK_PATCH_1 , dwAddrRet, 
return false ; 



7) 



I 

if ( nbrMatches > 1) { 

WarnNoPatch ( WARNING SECURE BACK_PATCH 2 , dwAddrRet, biggestMatch) 

return false ; 



} 

// 
// 
// 
// 
// 
// 



handle the exception cases 

These are direct calls or jumps through registers, and EIP- 

relative calls and jumps, 
now apply the patch, all too many cases 
Only the special cases set ppd->it . 



ppd->dwAddrPtch 



// where to patch, really PD 
// for all cases but most co 



DWORD dwAddrPatch 
WORD 

DWORD dwNewValue = dwAddrTargetNew 
mmon 

PBYTE pblnst = PBYTE ( dwAddrRet - biggestMatch) ; 

switch ( ppd->it) { // switch on the instruction 

type 

default : break ; 



Q3.se 


PATJ,? 


DIR. 


EAX 




->EAX 


K^k. W IN ~ W V CL -L- U. C 
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J_ ~ L U J- 1 1 


false 


case 


CALL2_ 


_DIR_ 


_ECX 


: pRegs 


->ECX 


= dwNewValue 


• return 


false 


case 


CALL2_ 


_DIR_ 


_EDX 


: pRegs 


->EDX 


= dwNewValue 


• return 


false 


case 


CALL2_ 


_DIR_ 


_EBX 


: pRegs 


->EBX 


— dwNewValue 


• return 


false 


case 


CALL2_ 


_DIR_ 


_EBP 


: pRegs 


->EBP 


= dwNewValue 


• return 


false 


case 


CALL2_ 


_DIR_ 


_ESI 


: pRegs 


->ESI 


= dwNewValue 


* return 


false 


case 


CALL2_ 


_DIR_ 


_EDI 


: pRegs 


->EDI 


= dwNewValue 


- return 


false 


case 


CALL2_ 


_DIR_ 


_ESP 













} 



WarnNoPatch( WARNING_SECURE_BACK_PATCH_4 , dwAddrRet, 2) ; 

return false ; // cannot easily change ESP 

case JUMP5_EIP_RELATIVE : 
case CALL 5_E I P RE LAT I VE : 

dwNewValue = dwAddrTargetNew - ( dwAddrPatch +4) ; 

break ; 
// switch on the call type 



// apply the patch 



0 I 



if ( PatchDWord( dwAddrPatch, dwNewValue) == false 

WarnNoPatch ( WARNING SECURE BACK_PATCH 3 , dwAddrRet, 

return false ; 



biggestMatch) 



} 



// return to caller 
// testing only 
// this will flood the log 



#if 0 

// see which patches we did apply 
LogSecError( "%u %X %X" 

, I NF 0_S E CURE_GOOD_B AC K_P AT C H 

, dwAddrPatch 

, dwNewValue 

) ; 

#endif 

// successful return 

return true ; 
} // BackPatch 
/* function PatchDWord: 

Write a DWORD to an address that may be on a read-only page 

*/ 

bool PatchDWord ( DWORD dwAddrTarget , DWORD dwValue) 
{ 



// write to memory 

// We don't need to lock the patched page (s) , even if it is code. 

// 
// 
// 
// 
// 



The page is marked dirty by our modification, and this appears 
to be enough to make the memory manager assign a backing page 
in the swap file if one is not already assigned. 
In NT/XP/2K, the write also triggers copy-on-write processing 
for code pages. 
PDWORD pdwTarget = P DWORD ( dwAddrTarget) ; 
DWORD flOldProtect ; 

if ( VirtualProtect ( LP VOID ( pdwTarget) 

, sizeof ( DWORD) 

, PAGE EXECUTE_READWRI TE 

, &f lOldProtect 
) == FALSE) { 

return false ; 
} // if VirtualProtect failed 
*pdwTarget = dwValue ; 

if ( VirtualProtect ( LP VOID ( pdwTarget) 

, sizeof ( DWORD) 
, flOldProtect 
, &f lOldProtect 
) == FALSE) { 



return false 



} 



// successful return 
return true ; 
} // PatchDWord 

// All functions below are private to this file. 
/* function ComputeLong: 

Compute an address from a base address and a signed 32-bit displaceme 

nt 

Because of 32-bit wraparound, we can just as soon treat the displacem 



ent 

as unsigned. 

*/ 

static inline DWORD ComputeLong ( DWORD dwBase, LONG lDisplacement ) 
{ 

return dwBase + lDisplacement ; 
} // ComputeLong 
/* function ComputeShort : 

Compute an address from a base address and a signed character displac 
ement 
*/ 

static inline DWORD ComputeShort ( DWORD dwBase, char cDisplacement ) 
{ 

return dwBase + LONG ( cDisplacement) ; 
} // ComputeShort 
/* function FollowTheCall : 

Simulate a few instructions to see if the call reaches its target 

Since this function is called inside a try / except scope, we 

reference memory with impunity. 

*/ 

static bool FollowTheCall ( DWORD dwAddrStub 

, PPTCH_DATA ppd 
, int nStepsRemaining 
) 



{ 



// bail out if we have decoded enough already 

// This avoids excessive path length in general, and loops in 

// particular. 

if ( nStepsRemaining <= 0) 

return false ; 
// point to the instruction 

PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
// indirect near jump? 

if ( pblnst [ 0] == Oxff && pblnst [ 1] == 0x25) { 

// update the patch address if a prior instruction cannot be skipped 
if ( ppd->dwAddrPtch == 0) 

ppd->dwAddrPtch = * PDWORD ( ppd->dwAddr Inst + 2) ; 
// if this hits the target 

DWORD dwTarget = * PDWORD ( * PDWORD ( pblnst +2)) ; 
if ( dwTarget == dwAddrStub) 

return true ; 
// try the next instruction 

ppd->dwAddr Inst = dwTarget ; // simulate the instruction 

return FollowTheCall ( dwAddrStub, ppd, nStepsRemaining - 1) ; 
} // indirect near jump 
// direct near jump? 
if ( pblnst [ 0] == 0xe9) { 

// update the patch address if a prior instruction cannot be skipped 
if ( ppd->dwAddrPtch ==0) { 

ppd->dwAddrPtch = ppd->dwAddr Inst + 1 ;// was 2, fixes bug 18929 
ppd->it = JUMP5_EIP_RELATIVE ; // gets special handling 

I 

// if this hits the target 

DWORD dwTarget = ppd->dwAddr Inst + 5 + * ( PDWORD) ( pblnst +1) ; 
if ( dwTarget == dwAddrStub) 

return true ; 
// try the next instruction 

ppd->dwAddr Inst = dwTarget ; // simulate the instruction 

return FollowTheCall ( dwAddrStub, ppd, nStepsRemaining - 1) ; 
} // indirect near jump 
// imm-32 register load? 
if ( ( pblnst [ 0] & 0xf8) == 0xb8) { 

// bail out if ESP is the destination 

if ( pblnst [ 0] == Oxbc) 
return false ; 

// advance the instruction pointer 

ppd->dwAddrInst += 5 ; 

// erase memory of the call instruction, since any patch must be 



// applied to a subsequent jump, lest the patch skip this 

// instruction 

ppd->it = INST_NONE ; 

ppd->dwAddrPtch = 0 ; 

// try the next instruction 

return FollowTheCall ( dwAddrStub, ppd, nStepsRemaining - 1) 
} // imm-32 register load 
// some imm-32 moves to memory 
if ( pblnst [ 0] == 0xc7) { 
DWORD dwInstBytes ; 
switch ( pblnst [ 1]) 



// bytes in the instruction 



default 
case 0x00 
case 0x01 
case 0x02 
case 0x03 
case 0x06 
case 0x07 

dwInstBytes 

break ; 
case 0x40 
case 0x41 
case 0x42 
case 0x43 
case 0x45 
case 0x46 
case 0x47 

dwInstBytes 

break ; 
case 
case 
case 
case 
case 
case 
case 



{ 

return false 



= 6 



// 
// 
// 
// 
// 
// 
// 



// 
// 
// 
// 
// 
// 
// 



we don ' 
[EAX] 
[ECX] 
[EDX] 
[EBX] 
[ESI] 
[EDI] 



[EAX+short ] 
[ECX+short] 
[EDX+short ] 
[EBX+short] 
[EBP+short ] 
[ESI+short] 
[EDI+short] 



t handle yet 



or [EBP] 



= 7 



0x80 : // [EAX+long] 

0x81 : // [ECX+long] 

0x82 : // [EDX-hlong] 

0x83 : // [EBX+long] 

0x85 : // [EBP+long] 

0x86 : // [ESI+long] 

0x87 : // [EDI+long] 

dwInstBytes = 10 ; 
break ; 

} // switch on the instruction type 
// advance the instruction pointer 
ppd->dwAddr Inst += dwInstBytes ; 

// erase memory of the call instruction, since any patch must be 
// applied to a subsequent jump, lest the patch skip this 
// instruction 
ppd->it = INST_NONE ; 
ppd->dwAddrPtch = 0 ; 
// try the next instruction 

return FollowTheCall ( dwAddrStub, ppd, nStepsRemaining - 1) ; 
} // some imm-32 moves to memory 
// we did not find an instruction of interest 
return false ; 
} // FollowTheCall 
/* function IsCaller2: 

Could the caller have used a 2-byte instruction? 
When one function calls another several times in 
compiler can generate small code by putting the 
in a register and calling repeatedly through that register. In 
VC++ 6.0 we have seen this technique used only for imported 
functions, which our stubs are not. 

*/ 

static bool IsCaller2 ( DWORD dwAddrStub, PCPUREGS pRegs, PPTCH DATA ppd) 

{ 

// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 2)) 

return false ; 
// if there is a 2-byte call here, decide which one 
if ( pblnst [0] != Oxf f ) 



succession, the 
target address 



return false 
DWORD dwReg ; 
switch ( pblnst [ 1]) 



{ 



default 
case 0x10 
case 0x11 
case 0x12 
case 0x13 
case 0x16 
case 0x17 
case OxDO 
case OxDl 
case 0xD2 



case 
case 
case 
case 
case 



0xD3 
0xD4 
0xD5 
0xD6 
0xD7 



return false ; 
dwReg = pRegs->EAX ; break 
dwReg = pRegs->ECX ; break 
dwReg = pRegs->EDX ; break 
dwReg = pRegs->EBX ; break 
dwReg = pRegs->ESI ; break 
dwReg = pRegs->EDI ; break 

ppd->it = CALL 2 D IR_EAX 

ppd->it = CALL2_DIR_ECX 

ppd->it = CALL 2 D IR_EDX 

ppd->it = CALL 2 D IR_EBX 

ppd->it = CALL2_DIR_ESP 

ppd->it = CALL 2 D IR_EBP 

ppd->it = CALL2_DIR_ESI 
ppd->it = CALL 2 DIR_EDI 



dwReg 


= pRegs 


->EAX , 


• break 


dwReg 


= pRegs 


->ECX , 


• break 


dwReg 


= pRegs 


->EDX , 


• break 


dwReg 


= pRegs 


->EBX , 


• break 


dwReg 


= pRegs 


->ESP ( 


• break 


dwReg 


= pRegs 


->EBP ( 


• break 


dwReg 


— pRegs 


->ESI , 


• break 


dwReg 


- pRegs 


->EDI , 


• break 



} // switch on the second byte 
// validate the possible instruction's target 



if ( ( pblnst [ 1] & 0x80) != 0) { 
gister 

// we are done if this hits the target 
if ( dwReg — dwAddrStub) 



// if direct call through re 



// if the call is to the stu 



return true ; 
// try following the call 
ppd->dwAddrInst = dwReg ; 
return FollowTheCall ( dwAddrStub, 



// simulate the call 



b 



} 

// set the patch address 
ppd->dwAddrPt ch = dwReg ; 

// possible instruction is an indirect call 
try { 

// we are done if this hits the target 
if ( * PDWORD ( dwReg) == dwAddrStub) 



ppd, nMaxDecodes ) 



// if the call is to the stu 



return true ; 
// try following the call 
ppd->dwAddrInst = * PDWORD ( dwReg) ; 
return FollowTheCall ( dwAddrStub, ppd, 
// try 

.except ( EXCEPTION EXECUTE HANDLER) { 

return false ; 



// simulate the call 
nMaxDecodes) ; 



// if no instruction validat 



ed 

} // except 

} // IsCaller2 

/* function IsCaller3: 

Could the caller have used a 3-byte instruction? 

*/ 

static bool IsCaller3 ( DWORD dwAddrStub, PCPUREGS pRegs, PPTCH_DATA ppd) 
{ 

// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 3)) 

return false ; 
// if there is a 3-byte call here, decide which one 
if ( pblnst [0] != Oxf f ) 

return false ; 
DWORD dwReg ; 
switch ( pblnst [ 1]) { 

default : return false ; 

case 0x14 : dwReg = pRegs->ESP ; break 

case 0x5 0 : dwReg = pRegs->EAX ; break 

case 0x51 : dwReg = pRegs->ECX ; break 

case 0x52 : dwReg = pRegs->EDX ; break 

case 0x53 : dwReg = pRegs->EBX ; break 

case 0x55 : dwReg = pRegs->EBP ; break 



case 0x56 : dwReg = pRegs->ESI ; break ; 

case 0x57 : dwReg = pRegs->EDI ; break ; 
} // switch on the second byte 
// determine the patch address 
if ( pblnst [ 1] == 0x14) 

ppd->dwAddrPtch = dwReg ; // CALL3_ESP_ZERO 

else 

ppd->dwAddrPtch = ComputeShort ( dwReg, pblnst [ 2]) ; 
// validate the possible instruction's target 
LONG IDisplacement ; 

if ( pblnst [ 1] == 0x14) // CALL3_ESP_ZERO 

IDisplacement = 0 ; 
else 

IDisplacement = LONG ( pblnst [ 2]) ; 
// possible instruction is an indirect call 
try { 

DWORD dwTarget = * PDWORD ( dwReg + IDisplacement) ; 

if ( dwTarget == dwAddrStub) // if the call is to the stu 

b 

return true ; 
// try following the call 

ppd->dwAddrInst = dwTarget ; // simulate the call 

return FollowTheCall ( dwAddrStub, ppd, nMaxDecodes) ; 
I // try 

except ( EXCEPT I ON_EXECUTE HANDLER) { 

return false ; // if no instruction validat 

ed 

} // except 

} // IsCaller3 

/* function IsCaller4: 

Could the caller have used a 4-byte instruction? 

*/ 

static bool IsCaller4 ( DWORD dwAddrStub, PCPUREGS pRegs, P P T C H_D AT A ppd) 
{ 

// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 4)) 

return false ; 
// there is only one 4-byte call 

if ( pblnst [ 0] != Oxff || pblnst [ 1] != 0x54 || pblnst [ 2] != 0x2 

4) 

return false ; 
DWORD dwReg = pRegs->ESP ; 

ppd->dwAddrPtch = ComputeShort ( dwReg, pblnst [ 3]) ; 
LONG IDisplacement = LONG ( pblnst [ 3]) ; 
try { 

DWORD dwTarget = * PDWORD ( dwReg + IDisplacement) ; 

if ( dwTarget == dwAddrStub) // if the call is to the stu 

b 

return true ; 
// try following the call 

ppd->dwAddrInst = dwTarget ; // simulate the call 

return FollowTheCall ( dwAddrStub, ppd, nMaxDecodes) ; 
I // try 

except ( EXCEPT ION_EXECUTE HANDLER) { 

return false ; // if no instruction validat 

ed 

} // except 

} // IsCaller4 

/* function IsCaller5: 

Could the caller have used a 5-byte instruction? 

*/ 

static bool IsCaller5 ( DWORD dwAddrStub, PCPUREGS pRegs, P P T C H_D AT A ppd) 
{ 

// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 5)) 
return false ; 



// is there is a 5-byte call here? 
if ( pblnst [0] != 0xe8) 

return false ; 
// set the patch target and instruction 

// These will be overridden only if we step into instructions that 
// cannot be skipped. 

ppd->dwAddrPtch = ppd->dwAddr Inst + 1 ; 

ppd->it = C ALL 5_E I P_RE LAT I VE ; // gets special handling 

// see if this call goes directly to the stub 



DWORD dwTarget = ppd->dwAddr Inst + 5 + 
if ( dwTarget == dwAddrStub) 



PDWORD ( pblnst +1) ; 
// if the call is to the stu 



// try / except 

// simulate the call 
nMaxDecodes) ; 



return true ; 
// try following the call 
try { 

ppd->dwAddr Inst = dwTarget ; 

return FollowTheCall ( dwAddrStub, ppd, 
} // try 

except ( EXCEPT I ON_EXECUTE_HANDLER) { 

return false ; 

} // except 

} // IsCaller5 

/* function IsCaller6: 

Could the caller have used a 6-byte instruction? 

*/ 

static bool IsCaller6( DWORD dwAddrStub, PCPUREGS pRegs, PPTCH DATA ppd) 

{ 



// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 6)) 

return false ; 
// if there is a 6-byte call here, decide which one 
if ( pblnst [0] != Oxf f ) 

return false ; 
DWORD dwReg ; 



switch 


( pblnst [ 1] ) 


{ 






default : 


return 


false 


} 




case 


0x15 : 


dwReg 


= 0 




• break 


case 


0x90 : 


dwReg 


— pRegs 


->EAX 


• break 


case 


0x91 : 


dwReg 


= pRegs 


->ECX 


• break 


case 


0x92 : 


dwReg 


= pRegs 


->EDX 


- break 


case 


0x93 : 


dwReg 


= pRegs 


->EBX 


• break 


case 


0x95 : 


dwReg 


= pRegs 


->EBP 


* break 


case 


0x96 : 


dwReg 


= pRegs 


->ESI , 


• break 


case 


0x97 : 


dwReg 


= pRegs 


->EDI 


• break 


} // 


switch 


on the 


second 


byte 





* PDWORD ( pblnst + 
target 



2) ) 



// determine the patch address 
ppd->dwAddrPtch = ComputeLong ( dwReg, 
// validate the possible instruction's 

// For the DGROUP call, the vector must be in the DGROUP . 
PDWORD pdwTarget = PDWORD ( ppd->dwAddrPt ch ) ; 
#if 0 // add this test 
if ( pblnst [ 1] == 0x15) { 
try { 

IsAddressInThisModule ( DWORD ( pdwTarget)) ; 
} // try 

except ( EXCEPTION EXECUTE HANDLER) { 

return false ; 

} // except 

} // if a possible DGROUP call 
#endif 

// validate the target for all instructions 

try { 

DWORD dwTarget = *pdwTarget ; 

if ( dwTarget == dwAddrStub) // if the call is to the stu 



return true ; 
// try following the call 



ppd->dwAddr Inst = dwTarget ; // simulate the instruction 

return FollowTheCall ( dwAddrStub, ppd, nMaxDecodes) ; 
} // try 

except ( EXCEPT I ON_EXECUTE_HANDLER) { 

return false ; 

} // except 

} // IsCaller6 

/* function IsCaller7: 

Could the caller have used a 7-byte instruction? 

*/ 

static bool IsCaller7 ( DWORD dwAddrStub, PCPUREGS pRegs, PPTCH DATA ppd) 

{ 

// ensure we can read the instruction bytes 
PBYTE pblnst = PBYTE ( ppd->dwAddr Inst ) ; 
if ( IsBadReadPtr ( pblnst, 7)) 

return false ; 
// there is only one 7-byte call 

if ( pblnst [ 0] 1= Oxff || pblnst [ 1] != 0x94 || pblnst [ 2] != 0x2 

4) 

return false ; 
// compute the patch address 

ppd->dwAddrPtch = ComputeLong ( pRegs->ESP, * PDWORD ( pblnst +3)) ; 
// validate the possible instruction's target 
try { 

DWORD dwTarget = * PDWORD ( ppd->dwAddrPtch) ; 

if ( dwTarget == dwAddrStub) // if the call is to the stu 

b 

return true ; 
// try following the call 

ppd->dwAddrInst = dwTarget ; // simulate the call 

return FollowTheCall ( dwAddrStub, ppd, nMaxDecodes) ; 
} // try 

except ( EXCEPTION EXECUTE HANDLER) { 

return false ; 

} // except 

} // IsCaller7 

/* function WarnNoPatch: 

Warn that we were unable to back patch the static link caller 

*/ 

static void WarnNoPatch ( int nWarning, DWORD dwAddrRet, int nbrBytes) 
{ 

// point to the earliest possible instruction start 
PBYTE pblnst = PBYTE ( dwAddrRet - nbrBytes) ; 
// format the first part of the message 
char szMsg [ 100] ; 
int iLength = 0 ; 

// display the instruction bytes if possible 
try { 

for ( int ndxByte = 0 ; ndxByte < nbrBytes ; ndxByte++) { 

iLength += sprintf ( szMsg + iLength, "%2.2X ", pblnst [ ndxByte]) ; 

} 

I // try 

except ( EXCEPT I ON_EXECUTE HANDLER) { 

} // except 

// report the error 

LogSecError ( "%u %X %s", nWarning, pblnst, szMsg) ; 
} // WarnNoPatch 
// Cert if icates . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File Certificates . cpp : 

Manage certificates for module validation 

*/ 

// Pre-compiled header files, must come first 

tinclude "VSInit_pch . h" 

fpragma hdrstop 

// Windows header files 

#include <wincrypt.h> 

f include <wintrust.h> 



// Compiler header files 
// Application header files 
f include <vsinit.h> 
^include "vsinit_int . h" 
// Constants 

// The compiler emits bloated code for aggregate constants (e.g., arrays 
// or structures) in function scope. 

const char szKeyTest [] = "Sof tware\ \Microsof t \ \Windows\ \CurrentVersion" 

" \\WinTrust\\Trust Providers \ \ Sof tware Publishi 

ng" 

, szValState[] = "State" 
, szSysStoreRoot [ ] = "Root" 
, szSysStoreTrust [ ] = "Trust" 
, szSysStoreCA [ ] = "CA" 

, szMSVCRT[] = "MSVCRT" // C RTL DLL, release build 

, szMSVCRTD[] = "MSVCRTD" // C RTL DLL, debug build 



const char * ps zSysStore [ ] = { s zSysSt oreRoot 

, szSysStoreTrust 
, szSysStoreCA 
I ; 

const int nbrSysStores = sizeof pszSysStore / sizeof pszSysStore [ 0] ; 
// If we define these arrays as const, the compiler complains because 
// that disagrees with the CRYPT_ALGORI THM_IDENT IFIER and CRYPT_BIT_ 
// BLOB definitions. 

static char s zPubKeyTestAlgID [ ] = s zOID_RSA_RSA ; 



static BYTE bPubKeyTestl [] 
f icate 



// public key for test certi 





= { 


0x30, 


0x47, 


0x02 , 


0x4 0 , 


0x81 , 


0x55, 


0x22, 


0xB9, 


0x8A, 


Ox 


A4 




























0x6F, 


OxED, 


0xD6, 


0xE7 , 


OxD 9 , 


0x66, 


OxOF, 


0x55, 


OxBC, 


Ox 


D7 


























r 


OxCD, 


0xD5, 


OxBC, 


0x4E, 


0x40, 


0x02, 


0x21, 


0xA2, 


OxBl, 


Ox 


F7 




























0x87, 


0x30, 


0x85, 


0x5E, 


0xD2, 


0xF2, 


0x44, 


0xB9, 


OxDC, 


Ox 


9B 
























36 


r 


0x75, 


0xB6, 


OxFB, 


0x46, 


0x5F, 


0x42, 


0xB6, 


0x9D, 


0x23, 


Ox 




r 


OxOB, 


OxDE, 


0x54, 


OxOF, 


OxCD, 


OxBD, 


OxlF, 


0x99, 


0x2A, 


Ox 


10 


























r 


0x58, 


0x11, 


OxCB, 


0x40, 


OxCB, 


0xB5, 


0xA7, 


0x41, 


0x02, 


Ox 


03 


























r 


0x01, 


0x00, 


0x01 


















S 

, bPubKeyTest2 [] 






// 


public key 


for test certi 


f icate 


























= I 


0x30, 


0x48, 


0x02, 


0x41, 


0x00, 


0x81, 


0x55, 


0x22, 


0xB9, 


Ox 


8A 


























/ 


0xA4, 


0x6F, 


OxED, 


0xD6, 


0xE7, 


0xD9, 


0x66, 


OxOF, 


0x55, 


Ox 


BC 


























r 


0xD7, 


OxCD, 


0xD5, 


OxBC, 


0x4E, 


0x40, 


0x02, 


0x21, 


0xA2, 


Ox 


Bl 


























r 


0xF7, 


0x87, 


0x30, 


0x85, 


0x5E, 


0xD2, 


0xF2, 


0x44, 


0xB9, 


Ox 


DC 


























r 


0x9B, 


0x75, 


0xB6, 


OxFB, 


0x46, 


0x5F, 


0x42, 


0xB6, 


0x9D, 


Ox 


23 


























r 


0x36, 


OxOB, 


OxDE, 


0x54, 


OxOF, 


OxCD, 


OxBD, 


OxlF, 


0x99, 


Ox 


2A 


























r 


0x10, 


0x58, 


0x11, 


OxCB, 


0x40, 


OxCB, 


0xB5, 


0xA7, 


0x41, 


Ox 


02 


























f 


0x03, 


0x01, 


0x00, 


0x01 
















f 

, bPubKeyTest3 [] 






// 


public key 


for test certi 


f icate 


























= I 


0x30, 


0x47, 


0x02, 


0x40, 


0x9C, 


0x50, 


0x05, 


OxlD, 


0xE2, 


Ox 


0E 




























0x4C, 


0x53, 


0xD8, 


0xD9, 


0xB5, 


0xE5, 


OxFD, 


0xE9, 


0xE3, 


Ox 



AD 





0x83, 


Ox4B, 


0x80, 


0x08, 


0xD9, 


OxDC, 


0xE8, 


0xE8, 


0x35, 


Ox 


/ 


0x11, 


OxFl, 


0xE9, 


0x9B, 


0x03, 


Ox7A, 


0x65, 


0x64, 


0x76, 


Ox 


/ 


OxCE, 


0x38, 


Ox2C, 


OxF2, 


0xB6, 


0x71, 


0x9E, 


0x06, 


0xD9, 


Ox 


f 


OxBB, 


0x31, 


0x69, 


OxA3, 


0xF6, 


0x30, 


OxAO, 


0x78, 


Ox7B, 


Ox 


t 


OxDD, 


0x50, 


Ox4D, 


0x79, 


OxlE, 


OxEB, 


0x61, 


OxCl, 


0x02, 


Ox 


I 


0x01, 


0x00, 


0x01 

















F8 
35 
BF 
18 
03 

} 

r 

const CERT_PUBLIC_KEY_INFO CertTestKeyl 

= { { szPubKeyTestAlgID, 0}, { sizeof bPubKeyTest 1 , bPubKeyTest 1 , 

0 }} ; 

const CERT_PUBLIC_KEY_INFO CertTestKey2 

= { { szPubKeyTestAlgID, 0}, { sizeof bPubKeyTest2 , bPubKeyTest2 , 

0 }} ; 

const CERT_PUBLIC_KEY_INFO CertTestKey3 

= { { szPubKeyTestAlgID, 0}, { sizeof bPubKeyTest 3 , bPubKeyTest 3 , 

0 }} ; 

// Global data 

HMODULE hmodCrypt32 = 0 ; // does not exist in base OS 

R2 

// Local data 

static bool f TestCertAllowed = false ; // true if test certificates 

allowed 

static HCERT STORE hSysStore [ nbrSysStores + 1] = { 0} ;// null terminato 
r 

// Local functions 

static bool CloseCert if icateStores ( ) ; 

static declspec ( noreturn) void ErrorLoad ( const char * pszModName) ; 

static bool IsATestCert ( PCERT_PUBLIC_KEY_INFO pCertPubKey Inf o ) ; 
static bool I sCertValidlnThisStore ( HCERTSTORE hCertStore 

, PBYTE pbCertData 

, DWORD cbCertData 

) ; 

static bool I sTestCertAllowed ( ) ; 

static bool LoadCrypt 32 ( ) ; 

static bool OpenCert if icateStores ( ) ; 

static void cdecl TerminateCert if icates ( ) ; 

/* function Initial! zeCert if icates : 
Static object initialization 

Prepare data structures for certificate management. 

This function is called from the carefully sequenced static object 
initialization in VSInit.cpp. 

*/ 

bool Initiali zeCert if icates ( ) 
{ 

// set the function pointers 
LoadCrypt 32 () ; 

// open the well-known system certificate stores 

// Open: Raise an exception if the call fails, since the call does 
// not raise its own exceptions, 

if ( OpenCert if icateStores ( ) == false) 

LogSecFatal ( "%u", ERROR_SECURE OPEN CERT_S TORES ) ; 

// remember if test certificates are allowed 
f TestCertAllowed = IsTestCertAllowed ( ) ; 
// workaround for bug 9028 

// Increment MSVCRT/MSVCRTD reference count to keep the DLL from being 
// unloaded too early in Win95 OSR2 . In our test, the FreeLibrary 
// call for Crypt32.dll also freed a page containing the current 
// module's onexitbegin table. 

HMODULE hmodMSVCRT - GetModuleHandle ( szMSVCRT) ; 

if ( hmodMSVCRT 1=0) //if release module is pres 

ent 

LoadLibrary ( szMSVCRT) ; // bump its reference count 



else { // if MSVCRT is not loaded 

hmodMSVCRT = GetModuleHandle ( szMSVCRTD) ;// try the debug module 
if ( hmodMSVCRT != 0) //if debug module is presen 

t 

LoadLibrary ( szMSVCRTD) ; // bump its reference count 

} //if MSVCRT is not loaded 
// specify the termination function 
atexit ( TerminateCert if icates ) ; 
// successful return 
return true ; 
} // Init iali zeCert if icates 
/* function I sCertValidlnAnyStore : 

Validate a certificate against a list of certificate stores 
One successful validation is all we require. 

*/ 

bool IsCertValidlnAnyStore ( PBYTE pbCertData 

, DWORD dwDataLength 
, HCERT STORE hStoreMsg 
) 

{ 

// first try the message's certificate store 

if ( IsCertValidlnThisStore ( hStoreMsg, pbCertData, dwDataLength) ) 

return true ; 
// now try the common certificate stores 
int ndxSysStore ; 

for ( ndxSysStore = 0 ; hSysStore [ ndxSysStore] != 0 ; ndxSysStore++) 

{ 

if ( IsCertValidlnThisStore ( hSysStore [ ndxSysStore] 

, pbCertData 
, dwDataLength 
) ) { 

return true ; 

I 

} // loop once for each certificate store 
// error return 
return false ; 
} // IsCertValidlnAnyStore 

// All functions below are private to this file 
/* function IsCertValidlnThisStore: 

Validate a certificate against the specified certificate store 

*/ 

static bool IsCertValidlnThisStore ( HCERT STORE hCertStore 

, PBYTE pbCertData 
, DWORD cbCertData 
) 

{ 

PCCERT_CONTEXT pCertContext = 0 
, pCertCtxPrev = 0 

try { 

// create a context from this certificate 
pCertContext 

= CertCreateCertif icateContext ( X5 0 9_ASN_ENCODING | PKCS_7_ASN_ENC 

ODING 

, pbCertData 
, cbCertData 

) ; 

if ( pCertContext == 0) 

return false ; 
// look for an issuer 

// MSDN recommends the certificate chain verification functions, but 
// but we stick with a technique that also supports Win9x with IE 
// 4.x. 

PCCERT_CONTEXT pCertCtxCurr ; 
do { 

DWORD dwCertFlags = CERT_STORE_S IGNATURE_FLAG ; 
pCertCtxCurr = 

CertGet IssuerCertif icateFromSt ore ( hCertStore 



ylnf o) 



, pCertContext 
, pCertCtxPrev 
, &dwCertFlags 

) ; 

pCertCtxPrev = pCertCtxCurr ; 

DWORD dwLastError = GetLastError ( ) ; // save a possible error cod 
// decide if this one passed muster 

// We also handle the special case of a self-signed certificate, 
if ( ( dwCertFlags & CERT_S TORE_S I GNATURE_FLAG ) ==0) { 

if ( pCertCtxPrev != 0) { //if the call succeeded 

// if test certificates are not allowed, check this issuer 
if ( f TestCertAllowed) // if allowed 

return true ; //no need to check 

return ! IsATestCert ( &pCertCtxPrev->pCert Inf o->Sub jectPublicKe 

} // if issuer found and certificate is valid 
// special case for self-signed certificate 

// WinCrypt.h notes that in this case the signature is still 
// verified. 

if ( dwLastError == CRYPT_E_SELF_S IGNED ) / / self-signed okay with 



us 



return true ; //we are done 

} // if the certificate may have been validated 
} while ( pCertCtxPrev != 0) ; 

I // try 

finally { 

if ( pCertCtxPrev != 0) 

CertFreeCertif icateContext ( pCertCtxPrev) ;// free the last one 
if ( pCertContext != 0) 

CertFreeCertif icateContext ( pCertContext) ; 

} // finally 

// error return 
return false ; 
} // IsCertValidlnThisStore 
/* function CloseCert if icateStores : 

Close the well-known system certificate stores 

*/ 

static bool CloseCert if icateStores ( ) 
{ 

// open all the system stores we can 
int ndxSysStore 

, ndxHandle = 0 

} 

for ( ndxSysStore = 0 ; ndxSysStore < nbrSysStores ; ndxSysSt ore + + ) 
if ( hSysStore [ ndxSysStore] == 0) // if this store not open 

continue ; //go to the next 

CertCloseStore ( hSysStore [ ndxSysStore], 0) ; 
hSysStore [ ndxSysStore] = 0 ; // zero the handle 

} // loop once for each system store 
// successful return 
return true ; 
} // CloseCert if icateStores 
/* function ErrorLoad: 

Report a LoadLibrary error, then raise an exception 

*/ 

declspec ( noreturn) 

void ErrorLoad ( const char * pszModName) 
I 

LogSecFatal ( "%u: %d %s" 

, E RROR_S E CURE_LO AD_L I BRARY 
, GetLastError ( ) 
, pszModName 
) ; 

} // ErrorLoad 

/* function IsATestCert: 

Is this public key from a test certificate? 



static bool IsATestCert ( PCERT_PUBLIC_KEY_INFO pCertPubKey Inf o ) 
{ 

// run the gauntlet of the three public keys used in test certificates 

const DWORD dwCertEncodingType = X5 0 9_ASN_ENC0DING | PKCS_7_ASN ENCOD I 

NG ; 

if ( CertComparePublicKeylnf o ( dwCertEncodingType 

, pCertPubKeylnf o 

, PCERT_PUBLIC_KEY_INFO ( &Cert TestKey 1 ) 
) ) { 

LogSecError ( "%u", ERROR_SECURE TEST CERT_1 ) ; 

return true ; 
} // if a test certificate 

if ( CertComparePublicKeylnf o ( dwCertEncodingType 

, pCertPubKeylnf o 

, PCERT_PUBLIC_KEY_INFO ( &Cert Test Key2 ) 
) ) { 

LogSecError ( "%u", ERROR_SECURE TEST CERT_2 ) ; 

return true ; 
} // if a test certificate 

if ( CertComparePublicKeylnf o ( dwCertEncodingType 

, pCertPubKeylnf o 

, PCERT_PUBLIC_KEY_INFO ( &Cert TestKey3 ) 
) ) { 

LogSecError ( "%u", ERR0R_SECURE_TEST_CERT_3 ) ; 
return true ; 
} // if a test certificate 
// this is not a test certificate 
return false ; 
} // IsATestCert 
/* function I s Test Cert All owed : 

Check the same registry flag as WinVerif yTrust does 

*/ 

static bool I sTestCertAllowed ( ) 
{ 

// open the key 
HKEY hkey ; 

if ( RegOpenKeyEx ( HKEY_CURRENT_USER 
, szKeyTest 

,0 // reserved 

, KEY_QUERY_VALUE 
, &hkey 

) != ERROR_SUCCESS) { 

return false ; 
} //if RegOpenKeyEx failed 
// get the value 
DWORD dwType 
, dwState 

, cbData = sizeof ( dwState) 
} 

if ( RegQueryValueEx ( hkey 

, szValState 

,0 // lpReserved 

, &dwType 

, PBYTE ( &dwState) 

, &cbData 

) != ERROR_SUCCESS) { 
RegCloseKey ( hkey) ; // close the key 

return false ; 

} // if RegQueryValueEx failed 

// close the key 

RegCloseKey ( hkey) ; 

// validate the value type and length 
if ( dwType != REG_DWORD) 

return false ; 
if ( cbData != sizeof ( dwState)) 

return false ; 
// return the status of the test flag 
return ( dwState & WTPF_TRUSTTEST ) != 0 ; 



} // IsTestCertAllowed 
/* function LoadCrypt32 : 

Load Crypt32.dll if it exists 

Integrity clients must support base 0SR2, which lacks Crypt32.dll. 

0SR2 first got Crypt32.dll with IE 4.0. 
We must also ensure that the DLL is not partially loaded as the 

result of a static link from another module. 

*/ 

static bool LoadCrypt 32 ( ) 
{ 

// common variables 

char szSysDir [ MAX_PATH +1] ; 

char szModName [ MAX PATH +20] ; 

// load Crypt32.dll 

// Load from the system directory, to keep an attacker from putting 

// bogus local copies in a private directory. 

Get SystemDirectory ( szSysDir, sizeof szSysDir) ; 

wsprintf ( szModName, "%s\ \Crypt 32 . dll " , szSysDir) ; 

hmodCrypt32 = LoadLibrary ( szModName) ; 

if ( hmodCrypt32 ==0) { 

// Crypt32.dll does not ship with the base release of OSR2 . 

// If the user has it on his system, it probably comes from a 

// version of IE. 

DWORD dwLastError = GetLastError ( ) ; 
OSVERSIONINFO osv ; 

osv . dwOSVersionlnf oSize = sizeof osv ; 

if ( ( dwLastError == ERROR_MOD NOT FOUND 

| | dwLastError == ERROR_DLL NOT_FOUND ) 

&& GetVersionEx ( &osv) != FALSE 

&& osv.dwMa jorVersion == 4 // Win95, 98, ME or NT4 

&& osv . dwMinorVersion == 0 // Win95 or NT4 

&& osv.dwPlatf ormld == VER_PLATFORM_WIN32_WINDOWS ) {// Win95 
return true ; 
} // if OSR2 is missing Crypt32.dll 
// no valid reason for the call to fail 
ErrorLoad ( szModName) ; // no return 

} // if the Crypt32.dll load failed 
// successful return 
return true ; 
} // LoadCrypt 32 

/* function OpenCert if icateStores : 

Open the system certificate stores 

We use these to validate certificates that fail validation in the 
certificate store created from the signature that contains them. 

The reason for the try / except block here is obscure. Cert- 

OpenSystemStore is the first call this DLL makes to Crypt32.dll. 
Since this module may need to run in Win95 OSR2 versions lacking 
Crypt32, we cannot statically link that DLL, nor can other Zone 
modules. Since we rarely test on old Win95 versions, sometimes 
we forget this constraint. Depending on a load order we do not 
carefully control, we may reach this function with the statically 
loaded Crypt32 uninitialized. This causes CertOpenSystemSt ore to 
fault or freeze. We traced a fault case to a CryptGetOIDFunct ion- 
Address call inside CertOpenSystemSystemStore, that used a zero 
argument. The argument came from an global variable that should 
have been initialized by a call to Crypt InitOIDFunct ionSet , but in 
The Twilight Zone the latter function is never called. 

We previous tried checking for a statically loaded Crypt32 before 
we dynamically load it, but that turned out to be a bad idea (bug 
11008, perhaps also 11012), since there are valid cases where 
Crypt32 is statically loaded. 

*/ 

static bool OpenCert if icateStores ( ) 
{ 

// bail out if Crypt32.dll not loaded 
if ( hmodCrypt32 == 0) 

return true ; 
// loop through the canned names 



// Perhaps it would be better to enumerate the keys in 

// HKEY_CURRENT_USER\ Software \Microsoft \ Sy st emCert if icates 

// and 

// HKEY_LOCAL_S YSTEM\ Software \Microsoft \ Sy st emCert if icates 
// the latter in case we run as a service in NT4 . 
int ndxSysStore 

, ndxHandle = 0 

} 

try { // try / except 

for ( ndxSysStore = 0 ; ndxSysStore < nbrSysStores ; ndxSysSt ore++ ) 

{ 

HCERT STORE hStore = CertOpenSystemSt ore ( 0, pszSysStore [ ndxSysSto 

re] ) ; 

if ( hStore != 0) 

hSysStore [ ndxHandle++] = hStore ; 
} // loop once for each system store 
} // try 

except ( EXCEPT I ON_EXECUTE_HANDLER) { 

LogSecError ( "%u %s" 

, ERROR_S ECURE_P O S S_CRYP T 3 2_S T AT_L I NK 
, pszSysStore [ ndxSysStore] 

) ; 

return false ; 

} // except 

// successful return 
return true ; 
} // OpenCertif icateStores 
/* function TerminateCert if icates : 
Static object destruction 
Avoid memory leaks. 

*/ 

static void cdecl TerminateCert if icates ( ) 

{ 

// nothing to do if Crypt32.dll was not loaded 
if ( hmodCrypt32 ==0) 
return ; 

// close the well-known system certificate stores 

CloseCert if icateStores ( ) ; 

// unload the DLL 

FreeLibrary ( hmodCrypt32) ; 
} // TerminateCert if icates 
// GetProcAddress . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File GetProcAddress . cpp : 

Implement our own version of GetProcAddress 

All modules with secure static imports use this function instead 
of KERNEL32 ! GetProcAddress . They reach this function via exported 
function SecureGetProcAddress in SecureAPI . cpp, imported by other 
modules as GetProcAddress (thanks to SecurePE.exe). 

Until we decide whether we can risk breaking Nortel's exthook.dll, 
we route some calls through KERNEL32 ! GetProcAddress . The calls 
exthook.dll cares about are 
Name Ordinal 
connect 4 
gethostbyname 52 
WSAAsyncGetHostByName 10 3 

*/ 

// Pre-compiled header files, must come first 

finclude "VSInit_pch . h" 

#pragma hdrstop 

// Application header files 

^include <vsinit.h> 

f include " vsinit_int . h" 

// Temporary measure, we hope 

// #define KLUGE_FOR_NORTEL_VPN 1 

#ifdef KLUGE_FOR_NORTEL_VPN 

#undef GetProcAddress 

#endif 



// Local data 

// These are ASCIIZ strings XORed with x55. This will keep an 
// attacker from easily finding the string constants we use to 
// locate the OS's GetProcAddress. 
const BYTE bKERNEL32[] 

= { OxlE, 0x10, 0x07, OxlB, 0x10, 0x19, 0x66, 0x67, 0x55} ; 
const BYTE bGetProcAddress [ ] 

{ 0x12, 0x30, 0x21, 0x05, 0x27, 0x3A, 0x36, 0x14 

, 0x31, 0x31, 0x27, 0x30, 0x26, 0x26, 0x55 

I ; 

typedef FARPROC ( WINAPI * GETPROCADDRESS) ( HMODULE, LPCSTR) ; 
static GETPROCADDRESS pGetProcAddres s ; 
// Local functions 

static FARPROC GetProcNotFound ( ) ; 
/* function Initial! zeGetProcAddress : 
Initialize static objects 

This function is called from the carefully sequenced static object 
initialization in VSInit.cpp. 

We retrieve the address of KERNEL32 ! GetProcAddress , for later use in 
processing GetProcAddress requests for forwarded functions. By 
getting this address directly from KERNEL32, and by doing it only 
once, we resist most hooking attempts. The determined attacker, who 
doesn't want to analyze our code, will need to patch the 
GetProcAddress entry point in KERNEL32 in order to hook our calls. 
And when he does, he'll find we call only for a forwarded export. 

Our technique assumes KERNEL32 ! GetProcAddress is not forwarded. If 
it is forwarded in a later version of the OS, the call through the 
uninitialized pGetProcAddress will fault. 

To frustrate attackers further, we build the target module and 
function names from non-ASCII data. 

*/ 

bool Init iali zeGetProcAddress ( ) 
{ 

// get the KERNEL32 module handle 

const int lenModName = sizeof bKERNEL32 ; 

const BYTE bKeyModName = bKERNEL32 [ lenModName - 1] ; 

char s zModName [ lenModName] ; 

int ndxChar ; 

for ( ndxChar = 0 ; ndxChar < lenModName ; ndxChar++) 

szModName[ ndxChar] = bKERNEL32 [ ndxChar] A bKeyModName ; 

HMODULE hmodKernel32 = GetModuleHandle ( szModName) ; 

if ( hmodKernel32 == 0) // should never happen 

return false ; // error return 

// now find the function pointer 

const int lenFuncName = sizeof bGetProcAddress ; 

const BYTE bKeyFuncName = bGetProcAddress [ lenFuncName - 1] ; 

char szFuncName [ lenFuncName] ; 

for ( ndxChar = 0 ; ndxChar < lenFuncName ; ndxChar+-H) 

szFuncName [ ndxChar] = bGetProcAddress [ ndxChar] ^ bKeyFuncName ; 
pGetProcAddress 

= GETPROCADDRESS ( MyGetProcAddress ( hmodKernel32 , szFuncName)) ; 
// successful return 
return true ; 
} // InitializeGetProcAddress 
/* function MyGetProcAddress: 

DIY version of GetProcAddress, resists import table hooking by an 
attacker 

We punt to the real GetProcAddress if we find a forwarder RVA, 
but our technique for calling the real GetProcAddress is also 
somewhat resistant to interception. 

A determined application can still find the real GetProcAddress 
by calling GetProcAddress for "GetProcAddress". We don't have 
any reason to block this yet, but if we did we could compare 
the function pointer we are about to return against the 
pGetProcAddress pointer we retrieved during initialization, 
substituting our function if they match. A good reason not to 
substitute our function is that our DLL may later be unloaded, 
and a call to our function will then fault. 



Our choice of name lets our secure import stub satisfy linker 
references in the importer for the real GetProcAddress . The effect 
is to divert all of the importer's calls to GetProcAddress to us, 
without any changes to the importer's source. 

*/ 

FARPROC MyGetProcAddress ( HMODULE hmod, LPCSTR lpProcName) 
{ 

#ifdef KLUGE_F OR_NORT E L_VP N 

return GetProcAddress ( hmod, lpProcName) ; 
felse 

// the caller has already validated lpProcName 
// now do the work 

try { // try / except 

// find the export directory 

// Since the module has already been successfully loaded by the OS, 
// we assume no further validation is necessary. 
PBYTE pbMod = PBYTE ( hmod) ; 

P IMAGE DOS_HEADER pHdrDOS = P IMAGE DOS HEADER ( hmod) ; 

P IMAGE_NT_HEADERS 3 2 pHdrNT 

= P IMAGE_NT_HEADERS 3 2 ( pbMod + pHdrDOS->e_l f anew) ; 
P IMAGE_OP T 1 0NAL_HEADER3 2 pHdrOpt = &pHdrNT->Opt ionalHeader ; 
P IMAGE_DATA_D I RECTORY pDirExport 

= pHdrOpt->DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT ; 
DWORD dwExpDirRVA = pDirExport->VirtualAddres s 
, dwExpDirSize = pDirExport->Size 

PIMAGE_EXPORT_D I RECTORY pExpDir 

= P IMAGE EXPORT DIRECTORY ( pbMod + dwExpDirRVA) ; 

// macros to simplify conversions 

// The RVAToPtr result must be cast to the appropriate data type. 
#define RVAToPtr (a) PVOID ( PBYTE ( pExpDir) + (a) - dwExpDirRVA) 
tdefine RVAToString ( a) PSTR( RVAToPtr (a)) 
#define RVAToPFn (a) FARPROC ( RVAToPtr (a)) 
#define RVAToPDWord ( a) PDWORD ( RVAToPtr (a)) 
#define RVAToPWord (a) PWORD ( RVAToPtr (a)) 

#define PtrToRVA(a) DWORD ( ( PBYTE (a) - PBYTE ( pExpDir) ) + dwExpDirR 

VA) 

// macro to decide if an export is forwarded 

tdefine I sThisExportForwarded (a) DWORD (a) - dwExpDirRVA < dwExpDirSi 

ze 

// extract some information from the export directory 

PDWORD pdwAddrOf Funcs = RVAToPDWord ( pExpDir->Addres sOf Functions ) ; 

const int nbrFuncs = pExpDir->NumberOf Functions ; 

DWORD dwBaseOrd = pExpDir->Base ; // base ordinal 

PDWORD pdwAddressOf Names = RVAToPDWord ( pExpDir->AddressOf Names ) ; 

PWORD pwAddrOf NameOrds = RVAToPWord ( pExpDir->AddressOf NameOrdinals ) 

} 

// handle ordinals first, since this is simpler 
DWORD dwRVAFunc ; 

if ( DWORD ( lpProcName) < 65536) { 

DWORD dwOrdinal = DWORD ( lpProcName) ; 
int ndxFunc = dwOrdinal - dwBaseOrd ; 
if ( ndxFunc >= nbrFuncs) { 

SetLastError ( E RRO R_ I N VAL I D 0 RD I N AL ) ; 

return 0 ; 
} // if an invalid ordinal 
dwRVAFunc = pdwAddrOf Funcs [ ndxFunc] ; 
if ( IsThisExportForwarded ( dwRVAFunc)) 

return pGetProcAddress ( hmod, lpProcName) ; 
else 

return RVAToPFn ( dwRVAFunc) ; 
} // if an ordinal request 

// import by name, resolved by a binary search of the names array 
// The _ is treated as any other character, suggesting Win32 uses 
// a string sort, not a word sort. So we must use strcmp, not 
// lstrcmp. 
int ndxLo = 0 

, ndxHi = pExpDir->NumberOf Names - 1 



] ) ) 



] ) ) 



, ndxTry 
, nResult 
} 

/ / bail out if there are no names 
if ( ndxHi < 0) 

return GetProcNotFound ( ) ; 
// compare with the low end 
ndxTry — ndxLo ; 

nResult = strcmp ( lpProcName, RVAToString ( pdwAddressOf Names [ ndxTry 

r 

if ( nResult == 0) { // if the first string 

dwRVAFunc = pdwAddrOf Funcs [ pwAddrOf NameOrds [ ndxTry] ] ; 
if ( I sThisExportForwarded ( dwRVAFunc)) 

return pGetProcAddress ( hmod, lpProcName) ; 
else 

return RVAToPFn ( dwRVAFunc) ; 
} // if the first string 

if ( nResult < 0) // if below all the strings 

return GetProcNotFound ( ) ; 
// compare with the high end 
ndxTry = ndxHi ; 

nResult = strcmp ( lpProcName, RVAToString ( pdwAddressOf Names [ ndxTry 



if ( nResult == 0) { // if the last string 

dwRVAFunc = pdwAddrOf Funcs [ pwAddrOf NameOrds [ ndxTry] ] ; 
if ( IsThisExportForwarded ( dwRVAFunc)) 

return pGetProcAddress ( hmod, lpProcName) ; 
else 

return RVAToPFn ( dwRVAFunc) ; 
} // if the last string 

if ( nResult > 0) // if above all the strings 

return GetProcNotFound ( ) ; 
/ / now do the binary search 

// At each iteration the high and low values have been tested, so 
// the search ends in failure when there are no values between 
// them to test, 
int nLimit = 0 ; 

while ( ndxHi - ndxLo > 1) { // while range has an untrie 

d value 

if ( nLimit + 4- > 20) break ; 

ndxTry = ( ndxLo + ndxHi) / 2 ; // rounds down 

nResult = strcmp ( lpProcName, RVAToString ( pdwAddressOf Names [ ndxT 



ry] ) ) 



ess 



ess 



if ( nResult == 0) { // if a match 

dwRVAFunc = pdwAddrOf Funcs [ pwAddrOf NameOrds [ ndxTry] ] ; 
if ( IsThisExportForwarded ( dwRVAFunc)) 

return pGetProcAddress ( hmod, lpProcName) ; 
else 

return RVAToPFn ( dwRVAFunc) ; 
} // if a match 

if ( nResult > 0) //if target is above the gu 

ndxLo = ndxTry ; // move the bottom up 

else // if target is below the gu 



ndxHi = ndxTry ; // move the top down 

} // loop until the range has one index 
return GetProcNotFound ( ) ; 
} // try 

except ( EXCEPTION EXECUTE HANDLER) { 

return GetProcNotFound ( ) ; 

} // except 

#endif 

} // MyGetProcAddress 

/* function GetProcNotFound: 

Coding aid to reduce clutter in VSGetProcAddress 

*/ 

static FARPROC GetProcNotFound ( ) 



{ 

SetLastError ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; 
} // GetProcNotFound 
// GetProcImport . asm 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
COMMENT * 

File GetProcImport . asm: 

Spoof an import reference to avoid a static link to GetProcAddress 
This is part of our program to eliminate static links to GetProc- 
Address, a deterrent to some attacks. 

In VSInit.dll, we replace GetProcAddress calls in our source by calls to 
our custom SecureGetProcAddress , and we enforce this with a macro that 
busts usage of GetProcAddress. But a developer can inadvertently build 
without this macro, or can link a pre-built library containing a call. 
In particular, we use delayed loading of Crypt32.dll since the DLL is 
not present on Win95 OSR2 without IE4 . The delay loader helper calls 
GetProcAddress. We could rebuild the helper (DelayHlp . cpp in the Visual 
Studio VC98\Include directory), but we prefer not to. So we must 
satisfy a call through data variable 

imp GetProcAddress@ 8 

normally done via an import definition in Kernel32 . lib . 

In this file we spoof the definition to avoid the import. We can create 
the desired symbol in C, but only as a function name, and this evidently 
does not keep the linker from using the import. 
* 

.586 

.MODEL FLAT, C 
.CODE 

EXTERN SecureGetProcAddress@8 : NEAR 

PUBLIC _imp GetProcAddress@8 

. DATA 

_imp GetProcAddress@8 DWORD SecureGetProcAddress@ 8 

END 

// SecureAPI . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 

/* File SecureAPI .cpp: 

Functions used to implement secure static links and dynamic links 
Deadlock warning: GetModuleFileName uses the OS's per-process 
critical section. This is the same critical section the OS holds 
for the duration of a DLL's initialization and termination. We also 
use various private critical sections. Many of our functions are 
called during DLL initialization. To avoid deadlock in functions 
called on different threads, we must always request critical 
sections in the same order. So any function that can be called on a 
thread not holding the per-process critical section must ensure it 
does not hold any private critical section when calling GetModule- 
FileName and GetModuleHandle, among other functions. 

*/ 

// Pre-compiled header files, must come first 

^include "VSInit_pch . h" 

tpragma hdrstop 

// Compiler header files 

#include <stdlib.h> 

tinclude <stdio.h> 

f include <map> 

tinclude <set> 

// Application header files 

tinclude <vsinit.h> 

tinclude " vsinit_int . h" 

// Data structures 

typedef FARPROC ( WINAPI * PFNGETPROCADDRESS ) ( IN HMODULE hModule 

, IN LPCSTR lpProcName 

) ; 

Class DYNLINK { 
public : 

HMODULE hmod ; // module handle 

PFNGETPROCADDRESS pGetProcAddress ; // hooked function 



char * pszName 



// full module file path 



PDWORD pdwPatchTarget ; 
BYTE bHookGetProcAddress [ 



12] 



// patch target in I AT 

// multiple of 4 for alignme 



nt 



DYNLINK ( ) 



0) 



} 

-DYNLINK () { 



pszName ( 
hmod ( 0 ) 

pdwPatchTarget ( 0) 
bHookGetProcAddress [ 
bHookGetProcAddress [ 
bHookGetProcAddress [ 
bHookGetProcAddress [ 

if ( pszName != 0) 
delete [] pszName 



0] 
1] 
6] 
7] 



0x58 
0x68 
0x50 
0xe9 



;// 
;// 
;// 
;// 



POP EAX 
PUSH imm- 
PUSH EAX 
JMP NEAR32 



32 



I 

} ; 

typedef DYNLINK * PDYNLINK ; 

static std: : set <PDYNLINK> * psetDynLink = 
class VAL I DATEDMODULE { 
public : 

char * pszName ; 

DWORD dwHash ; 

DWORD nbrExports ; 

DWORD dwModBaseAddr ; 



PDWORD pdwRVAExports ; 
PDWORD pdwHashExports ; 
names 

DWORD dwAddrSecureStaticLink 

el 

PDYNLINK pDynLink ; 
CRITICAL_SECTION cs ; 
std: : set<DWORD> noPatch ; 
ailed 

VAL I DATEDMODULE ( ) 



0 ;// track PDYNLINK pointers 



// fully qualified path name 

// of pszName 

// number of secure exports 

// this module's base addres 

// RVAs for secure exports 

// hash values for exported 

// module's static link funn 

// dynamic link hook 

// serialize access 

// addresses where patches f 



0) 



{ 

-VAL I DATEDMODULE ( ) { 



it 



k hook 



dwModBaseAddr ( 
ps zName ( 0 ) 

dwAddrSecureStaticLink ( 0) 
pDynLink ( 0) 

InitializeCrit icalSection ( &cs) 
DeleteCrit icalSect ion ( &cs) ; 
if ( pszName != 0) 

delete [] pszName ; 
if ( pDynLink != 0) { 

psetDynLink->erase ( pDynLink) 



;// stop tracking 



delete pDynLink 
pDynLink = 0 ; 



// if there is a dynamic lin 



typedef VAL I DATEDMODULE * PVAL I DATEDMODULE ; 
static std: : mult imap<DWORD, PVAL I DATEDMODULE > 



typedef struct IMPORTTBL { 

rePE . cpp 

PVAL I DATEDMODULE pValMod ; 

St 

char szModName [ 1] ; 

} IMPORTTBL, * P IMPORTTBL ; 
// Constants 

# define MAX_NORMAL_ORD INAL 6 5 535 
o 

#define MAX_SECURE_ORD INAL 
const DWORD dwLargePrime = 



// 

// 
// 



pmapValMod = 0 ; 

matches structure in Secu 



for 
the 



this 
next 



imported module 
field must be la 



// variable length 



// so two high bytes are zer 



2047 // 

( lu « 31) - 1 ;// 

// The compiler emits bloated code for aggregate constants 
// or structures) in function scope. 



must match SecurePE.cpp 
8th Mersenne prime 

(e.g., arrays 



const char szKernel32[] = "KERNEL32.dll" 

, szGetProcAddress [ ] = "GetProcAddress" 

, s zDummy Import [ ] = "SUVW" // SUVW ( ) is in this file 

, szUnknown[] = "(Unknown)" 

r 

// Global data 

extern HMODULE g_hModThis ; // this DLL's module handle 

// Local data 

static CRITICAL_SECTION csTable ; // access to the STL map 

static CRITICAL_SECTION csDynLinkHook ; // set a GetProcAddress hook 

static PDWORD pCRCTable ; // used to hash function nam 

es 

Static P VAL I DATEDMODULE pValModBase ; 

static PVAL I DATEDMODULE pValModThis = 0 ; // expect same as pValModBas 
e 

# define MAX_MODULES 4 0 
static int nbrModules = 0 ; 

// Static functions called from other modules (via trickery) 
static FARPROC WINAPI ResolveDynamicLink ( PDYNLINK pDynLink 

, HMODULE hmodTarget 
, LPCSTR pProcName 
) ; 

Static FARPROC WINAPI ResolveSt at icLink ( PVAL I DATEDMODULE pValModCal ler 

, PIMPORTTBL pTable 

) ; 

// Local functions 

static int cdecl CompareDWORD ( const void *el, const void *e2) ; 

static PVAL I DATEDMODULE FindTableS lot ( HMODULE hmod, bool f Addl f NotFound 

) ; 

static FARPROC WINAPI FixupSt at icLinkFunnel ( PVAL I DATEDMODULE pValModNot 
Yet 

, PIMPORTTBL pTable 

) ; 

static const char * GetCallerFileName ( DWORD dwRetAddr 

, char * ps zModNameCaller 
) ; 

static FARPROC GetProcAddressExp ( PVAL I DATEDMODULE pValMod 

, DWORD dwHash 
, DWORD dwHint 

) ; 

static int GetSizeOf Pushlnst ruction ( DWORD dwPushed 

, DWORD dwAddrAf terPush 

, PVAL I DATEDMODULE pValMod 

) ; 

static DWORD HashString( LPCSTR pszString) ; 

static bool I sModulePatched ( PVAL I DATEDMODULE pValMod) ; 

static bool My I sBadStringPointer ( LPCTSTR lpsz, UINT_PTR ucchMax) ; 

static DYNLINK * newDYNLINK ( ) ; 

static bool ParseSecureExport s ( PVAL I DATEDMODULE pValMod) ; 

static PVAL I DATEDMODULE WINAPI SecureLoadLibrary ( LPCSTR lpFileName) ; 

static PDYNLINK SetTheGetProcAddressHook ( HMODULE hmod) ; 

static void cdecl TerminateSecureAP I ( ) ; 

static bool UndoTheGetProcAddressHook ( const DYNLINK * pDynLink) ; 
static PVAL I DATEDMODULE ValidatedModuleFromCodeAddress ( PVOID pvAddr) ; 
/* function AreSecureDynLinksAllowed : 

If they are, patch the calling module to enable them 

A module must pass our validation test, but we cast a wide net. The 
valid module can be the caller, or the current EXE, or any of its 
parent EXEs. This net may be too wide, since it allows access to 
all secure APIs. We might to restrict the APIs available based on 
which module we validate, but this will add an administrative 
burden . 

*/ 

bool WINAPI AreSecureDynLinksAllowed ( HMODULE hmod) 
{ 

// we assume the caller has validated his caller, which may be 
// unsigned, by other means 

// For the OEM API we may need to revisit the caller's validation. 



// Here we validate the process' EXE chain. 

if ( IsMyProcessOrAnAncestorCertif ied ( SAP I_LOG_T VDEBUG ) == false) 

return false ; 
SetTheGetProcAddressHook ( hmod) ; 
return true ; 
} // AreSecureDynLinksAllowed 
/* function MS IPrepareSecureApi : 

patch the calling module to enable them 

*/ 

bool WINAPI MSIPrepareSecureApi ( HMODULE hmod) 
{ 

SetTheGetProcAddressHook ( hmod) ; 

return true ; 
} // MSIPrepareSecureApi 
/* function Init iali zeSecureAP I : 
Initialize static objects 

Prepare data structures for module validation. 

This function is called from the carefully sequenced static object 
initialization in VSInit.cpp. 

*/ 

bool InitializeSecureAPI ( ) 
{ 

// initialize the critical sections 

// The STL map of P VAL I DATEDMODULE pointers is not thread-safe. 
Init ializeCriticalSection ( &csTable) ; 

// Avoid a race when setting a module's GetProcAddress hook. 
Init ializeCriticalSect ion ( ScsDynLinkHook) ; 
// allocate the tables that track validated modules 
pValModBase = new VAL I DATEDMODULE [ MAX_MODULES] ; 

if ( pValModBase == 0) // if allocation failed 

LogSecFatal ( "%u %u", ERROR_SECURE_ALLOCATION 1 ) ; 

// allocate and generate the CRC-32 table 

// We can save 1 KB, plus this table generation code, by pre-defining 
// the CRC-32 table in a shared data segment. The only drawback is 
// that the table is then visible in a disassembly, 
const int TABLE_S I ZE = 2 56 ; 

const int nbrBytes = TABLE_S I ZE * sizeof ( DWORD) ; 

pCRCTable = PDWORD ( HeapAlloc ( GetProcessHeap ( ) , 0, nbrBytes)) ; 
if ( pCRCTable == 0) // if allocation failed 

LogSecFatal ( "%u %u", ERROR_SECURE NOT ENOUGH_MEMORY 2 , nbrBytes) ; 

// populate the table 

const DWORD Polynomial = 0xedb8 832 0 ; 

for ( int ndxOuter = 0 ; ndxOuter < T ABLE_S I Z E ; ndxOuter++) { 
DWORD crc = ndxOuter ; 

for ( int ndxlnner = 0 ; ndxlnner < 8 ; ndxlnner++) { 
if ( ( crc & 1) != 0) 

crc = (crc >> 1) A Polynomial ; 
else 

crc >>= 1 ; 

} 

pCRCTable [ ndxOuter] = crc ; 
} // loop once for each table slot 
// create the multimap 

// We cannot declare the multimap as a static object, since its 

// initializer may not have run before we first use it, causing an 

// access exception. 

// We should check for a nonzero return, but we wouldn't know how 
// to handle an error in an initializer. Let's hope this call 
// always succeeds. 

pmapValMod = new std : : mult imap<DWORD, PVALIDATEDMODULE> ; 
// create the dynamic link tracking set 

// We cannot declare the set as a static object, since its destructor 

// may run before TerminateSecureAP I , causing references to it in 

// that function to fault. 

psetDynLink = new std : : set <PDYNLINK> ; 

// set the termination function 

atexit ( TerminateSecureAPI ) ; 

// successful return 



return true ; 
} // InitializeSecureAPI 
/* function I sModuleVal id : 
As it says 

This validates another module and prepares that module to call 
secure static and dynamic links. The call to this function origi- 
nates in an exception deliberately raised during the subject 
module's initialization. 

The validation itself is done in IsPEFileValid . 

Open: Validate the patch target before patching. Ensure it is 
in the module, and that it contains a virgin pattern. 

*/ 

bool IsModuleValid ( HMODULE hmod, PVALIDATESELF pvalSelf) 
{ 

// get the EXE ' s file name 

// We use this only in fatal error messages, but we retrieve it now 
// to avoid the risk of deadlock. See the file prolog for more 
// information, 
char szMyEXE[ MAX_PATH] ; 

GetModuleFileName ( 0, szMyEXE, MAX_PATH) ; 
// find a table slot 

PVALIDATEDMODULE pValMod = FindTableSlot ( hmod, true) ; 
CCrit SecAutoRelease csAuto ( &pValMod->cs ) ;// serialize access 
// have we previously validated and adjusted this module? 
if ( IsModulePatched ( pValMod) ) // if yes 

return true ; //no need to do it again 

// validate the file 

if ( IsPEFileValid ( pValMod->ps zName, SAP I_LOG_TVDEBUG ) ) { 
// set the module handle 

pValMod->dwModBaseAddr = DWORD ( hmod) ; 

ParseSecureExports ( pValMod) ; // parse the secure export t 

able 

// hook the module's GetProcAddress call if this is not VSInit 
// We track the dynamic link hook here only to reduce memory 
// leakage. If we develop a general anti-leak technique for 
// the DYNLINK blocks, e.g., by hooking each DLL's entry RVA, 
// we should remove this pointer or else we may find ourselves 
// deleting a stale pointer, 
if ( hmod != g_hModThis) { 

PDYNLINK pDynLink = Set TheGetProcAddressHook ( hmod) ; 

if ( pValMod->pDynLink != 0) { // if a prior DynLink hook 

psetDynLink->erase ( pValMod->pDynLink) ;// stop tracking it 
delete pValMod->pDynLink ; // delete it 

} 

pValMod->pDynLink = pDynLink ; // set the new DynLink hook 

} // if not VSInit 

// patch the static link resolver in the calling module so that 

// it jumps to VSInit to patch each static link funnel on the first 

// call to that funnel 

// The dynamic link resolver is initialized via a secure static 
// link in the caller. For OEM callers forbidden to use static 
// links to our modules, we will need addtional processing, 
// probably called from tvlnit iali zeEx . 

// We optimistically neglect to validate the patch address. If it 
// is wrong, bad things will happen soon. 
PatchDWord( pvalSelf ->dwAddrPatchResolveStat ic + 1 

, DWORD ( &FixupStaticLinkFunnel) 

- ( pvalSelf->dwAddrPatchResolveStatic + 5) 

) ; 

// save the starting address of the module's SecureStat icLink 

// Do this last, so that we can use it later to test whether self- 

// validation and patching are already complete. 

pValMod->dwAddrSecureStat icLink = pvalSelf->dwAddrPatchResolveStat ic 

r 

/ / successful return 

return true ; 
} // if validation succeeded 
// validation failed 



// We still hold the csTable critical section, which should avoid 
// multiple concurrent message boxes for this process. 
// display an error message 

// To avoid overloading the user with bad news, we report only one 
// validation error per process, then force a process exit. 
// If preparing a fancy message causes a stack overflow, we'll feel 
// very silly. 

char szMsg[ MAX_PATH +100] ; 

sprintf ( szMsg, "Validation failed for %s.", pValMod->ps zName ) ; 
MessageBox ( 0 

, szMsg 

, szMyEXE 

, MB_OK | MB_ICONSTOP | MB T AS KMOD AL | MB_TOPMOST 

) ; 

// write to the debug log and die 
LogSecFatal ( "%u src=%s trg=%s" 

, E RROR_S E CURE S E L F_VAL I DAT I ON 

, szMyEXE 

, pValMod->ps zName 
) ; 

// avoid a compiler warning 

// The LogSecFatal call keeps us from reaching here, 
return false ; 
} // IsModuleValid 
/* function ResolveDynamicLink : 

Call GetProcAddress on behalf of a self -validated module that has 

one or more secure imports 
This function is called from other modules, but its address is not 
exposed to the linker. 

*/ 

static FARPROC WINAPI ResolveDynamicLink ( PDYNLINK pDynLink 

, HMODULE hmodTarget 
, LPCSTR pProcName 
) 

{ 

// consider validating the DYNLINK block to reduce the chance of 
// our being spoofed by an attacker 
// guard against a bogus pointer 

DWORD dwOrdinal = DWORD ( pProcName) ; // in case of an ordinal req 

uest 

if ( dwOrdinal > MAX NORMAL_ORD INAL ) { // if a string pointer 

const UINT_PTR B I GGE S T P ROC NAME = 64 ; // big enough? 

if ( MylsBadStringPointer ( pProcName, BIGGEST PROC NAME) ) { 

SetLastError ( E RRO R_ I N VAL I D P ARAME T E R ) ; 

return 0 ; // error return 

I 

} // if pProcName is a string pointer 
#if 0 // testing only 

// trace all dynamic link calls 
if ( dwOrdinal <= MAX_NORMAL_ORD I NAL ) { 
char szModFileName [ MAX_PATH] ; 

GetModuleFileName ( hmodTarget, szModFileName, MAX PATH ) ; 

LogSecError ( "%u %s to %s %u" 

, I NF 0_S E CURE D YNAM I C_L I NK 

, pDynLink->ps zName 

, szModFileName 

, dwOrdinal 

) ; 

} 

else { 

char szModFileName [ MAX_PATH] ; 

GetModuleFileName ( hmodTarget, szModFileName, MAX_PATH) ; 
LogSecError ( "%u %s to %s %s" 

, I NF 0_S E C URE_D YNAM I C_L I NK 

, pDynLink->pszName 

, szModFileName 

, pProcName 

) ; 



} 

#endif 

// call the hooked function in the caller's module 

FARPROC pfnResult = pDynLink->pGetProcAddress ( hmodTarget, pProcName) 

r 

// continue only if the function failed with a specific error code 
if ( pfnResult != 0) 

return pfnResult ; 
switch ( GetLastError ( ) ) { 

case ERROR_PROC_NOT_FOUND : 

case E RRO R_ I NVAL I D O RD I NAL : 

break ; //it may be a secure API 

default : 

return 0 ; // error return 

} / / switch on the error code 
// this may be a secure export 
// find the target module's block 

// GetProcAddressExp ensures the block is not stale. 
PVALIDATEDMODULE pValModCal lee ; 
if ( hmodTarget == g_hModThis) 

pValModCallee = pValModThis ; 
else 

pValModCallee = FindTableSlot ( hmodTarget, false) ; 
if ( pValModCallee == 0) { 

Set Last Error ( ERROR_MOD_NOT FOUND ) ; 

return 0 ; // error return 

I 

CCritSecAutoRelease csAuto ( &pValModCallee->cs ) ;// serialize access 
// process a by-ordinal request 

if ( dwOrdinal <= MAX S ECURE ORD I NAL ) { // if an ordinal 

pfnResult = GetProcAddressExp ( pValModCallee, dwOrdinal, DWORD ( -1)) 

} 

if ( pfnResult != 0) // if successful 

return pfnResult ; // return the function point 

er 

LogSecError ( "%u %s %s %u" 

, E RROR_S E CURE_D YN_L I NK_ORD 
, pDynLink->ps zName 
, pValModCallee->ps zName 
, dwOrdinal 

) ; 

SetLast Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // error return 

} // if pProcName is not a string pointer 
// import by name 

// search the target's secure export tables 
DWORD dwHashVal = HashString ( pProcName) ; 

if ( dwHashVal <= MAX_S ECURE ORD I NAL ) { 

LogSecError ( "%u %s %s %s %u" 

, ERROR_SECURE_DYN_LINK_HASH 

, pDynLink->ps zName 

, pValModCallee->pszName 

, pProcName 

, dwHashVal 

) ; 

SetLast Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // error return 

} //if the name hashed to an embargoed ordinal 

pfnResult = GetProcAddressExp ( pValModCallee, dwHashVal, DWORD ( -1)) ; 
if ( pfnResult != 0) // if successful 

return pfnResult ; // return the function point 

er 

LogSecError ( "%u %s %s %s" 

, E RRO R_S E C URE_D YN_L I NK_NAME 
, pDynLink->ps zName 
, pValModCallee->pszName 
, pProcName 



SetLastError ( ERROR_PROC_NOT_FOUND ) 
return 0 ; 



// error return 



} // ResolveDynamicLink 

/* function ResolveSt at icLink : 

Resolve a static link, back patching the caller if possible 
This function is called from other modules, but its address is not 
exposed to the linker. 

*/ 

static FARPROC WINAPI ResolveSt at icLink ( PVALIDATEDMODULE pValModCal ler 

, PIMPORTTBL pTable 



{ 



// retrieve forbidden fruit from the stack 



DWORD dwAddrFunnelRet 
he funnel 

, dwAddrStubRet 
, dwHint 
, dwHash 

, dwAddrCallerRet 



( P DWORD ( &pValModCaller) 



( P DWORD ( &pTable) 

( P DWORD ( &pTable) 

( P DWORD ( &pTable) 

( P DWORD ( &pTable) 



+ 9) 
+ 10) 
+ 11) 
+ 12) 



1 ) / / return in t 



PCPUREGS pRegs = PCPUREGS ( PDWORD ( &pTable) + 1) 



// 
// 
// 
// 
// 
// 
// 
// 
// 
// 
// 



Open: Validate 
Is this really 
since he just 
guard against 



the caller against pValModCaller 

necessary? We know the caller must still exist, 
called us. The only other reason to validate is to 
an attack, but we are already partly protected by 



the obscure way the ResolveStat icLink call is patched into the 
caller's code during self -validation . 
validate the funnel code 

We know almost exactly the machine instructions in the funnel, 
and we validate them here to screen out careless attackers. Of 
course, most attackers will try dynamic links before static 
links . 

/ / IsNearDirectCall ( dwAddrFunnelRet, DWORD ( ResolveStat icLink) ) ; 
DWORD dwAddrFunnel = dwAddrFunnelRet - 16 ; 
const DWORD sizeFunnel = 24 ; 
PBYTE pblnst = PBYTE ( dwAddrFunnel) ; 
if ( I sBadReadPt r ( pblnst, sizeFunnel)) { 
LogSecFatal ( "%u %s %X + %X" 

, ERROR_SECURE BAD FUNNEL 

, pValModCaller->pszName 

, pValModCaller->dwModBaseAddr 

dwAddrFunnel - pValModCaller->dwModBaseAddr 



) 

} // if bad funnel code 

if ( pblnst [0] != 0x60 

I | pblnst [1] != 0x68 
| | pblnst [6] != 0x68 
/* | | IsAddressInThisModule ( 



) { 



( 



// 
// 
// 

PDWORD) ( 



PUSHAD 
PUSH imm 
PUSH imm 
pblnst + 



4-byte value 
4-byte value 
2) ) == false */ 



LogSecFatal ( 



"%u %s %X + %X" 
" %2.2X %2.2X %2.2X %2 . 2X 

ERROR_SECURE BAD FUNNEL 

pValModCaller->pszName 
pValModCaller->dwModBaseAddr 
dwAddrFunnel - pValModCaller 



%2.2X %2.2X %2.2X %2.2X" 



->dwModBaseAddr 



) 



pblnst [ 
pblnst [ 



0] 
4] 



pblnst [ 
pblnst [ 



1] 
5] 



pblnst [ 
pblnst [ 



2] 
6] 



pblnst [ 
pblnst [ 



3] 
7] 



hash value, one for 
PUSH, and the hint 



} // if bad funnel code 
// validate the stub code 

// The stub has two immediate PUSHes, one for the 
// the hint. The hash is almost always a 4-byte 
// is usually a 1-byte PUSH. 
//IsNearDirectCall ( dwAddrStubRet, dwAddrFunnel) ; 

DWORD dwAddrCallFunnel = dwAddrStubRet - 5// near direct call 
, dwAddrPushHint 

= dwAddrCallFunnel - Get SizeOf Pushlnstruct ion ( dwHint 

, dwAddrCallFunne 



) 



pValModCaller 



dwAdcirPushHash 

= dwAddrPushHint 



GetSizeOf Pushlnstruct ion ( dwHash 

, dwAddrPushHint 

, pValModCaller 
) 



e) 



DWORD dwAddrStub = dwAddrPushHash ; 

// load the target module if we have not already done so 

// We allow a LoadLibrary race here, then back out one of the two 

// loads if we find a race occurred. We used to protect this code 

// with a process-wide critical section, but this occasionally 

// caused a deadlock (bug 11458), since this function can be called 

// while the OS holds the _LoaderLock critical section. 

if ( pTable->pValMod ==0) { 

P VAL I DATEDMODULE pValModTarget = SecureLoadLibrary ( pTable->s zModNam 



if ( pValModTarget == 0) 
LogSecFatal ( "%u %d %s 



) 



{ 

X + %X %s" 
E RRO R_S E C URE_L O AD_L I BRARY 
GetLastError ( ) 
pValModCaller->pszName 
pValModCaller->dwModBaseAddr 

dwAddrCallerRet - pValModCaller->dwModBaseAddr 
pTable->szModName 



} 

// 



serialize 



// if the module load failed 

serialize access so we can detect a LoadLibrary race 
CCritSecAutoRelease csAutoCallee ( &pValModTarget->cs ) ;// 
access 

if ( pTable->pValMod != 0) // if we lost a race 

FreeLibrary ( HMODULE ( pTable->pValMod->dwModBaseAddr ) ) ; 
else / / if no race, or if we won 

pTable->pValMod = pValModTarget ; // set the table pointer 

// if the module was not already loaded 
// get the target VAL I DATEDMODULE control block 
// GetProcAddressExp ensures the block is not stale. 
PVAL I DATEDMODULE pValModCal lee = pTable->pValMod ; 

CCritSecAutoRelease csAutoCallee ( &pValModCallee->cs ) ;// serialize ac 
cess 

// find the desired function 

FARPROC pfnTarget = GetProcAddressExp ( pValModCallee, dwHash, dwHint) 



} 



if ( pfnTarget 
ound 

LogSecFatal ( 



0) { 



// if the function was not f 



) 



"%u %s %X %d %s %X + %X" 

ERROR_SECURE_ORD INAL_UNKNOWN 

pValModCallee->pszName 

dwHash 

dwHint 

pValModCaller->pszName 
pValModCaller->dwModBaseAddr 

dwAddrCallerRet - pValModCaller->dwModBaseAddr 



} 



// if the ordinal was not found 
#if 0 // testing only 

LogSecError ( "%u %s %X + %X %X %d -> %s %X + %X" 

, I NF 0_S ECURE_S TAT I C_L I NK 

, pValModCaller->pszName 

, pValModCaller->dwModBaseAddr 

, dwAddrCallerRet - pValModCaller->dwModBaseAddr 

, dwHash 

, dwHint 

, pValModCallee->pszName 

, pValModCallee->dwModBaseAddr 

, DWORD ( pfnTarget) - pValModCallee->dwModBaseAddr 



) ; 

#endif 

// don't try back patching the caller if we have already tried this 
// address and failed 

CCritSecAutoRelease csAutoCaller ( &pValModCaller->cs ) ;// serialize ac 
cess 

if ( pValModCaller->noPatch.find( dwAddrCallerRet ) 
!= pValModCaller->noPatch . end ( ) ) { 
return pfnTarget ; // return target address to 

caller 
I 

// try to back patch the caller 
if ( BackPatch ( dwAddrCallerRet 

, DWORD ( pfnTarget) 

, dwAddrStub 

, pRegs 

) == false) { 
pValModCaller->noPatch . insert ( dwAddrCallerRet) ; 
} // if the back patch failed 
// return the target address to the caller 
return pfnTarget ; 
} // ResolveStat icLink 
/* function SUVW: 

Null function we use to test for a dynamic link hook 

If a module's GetProcAddress function can find this function, it 

is already hooked. 
We created a separate function, rather than use an existing one, 
since we don't want to inadverently expose the name of a secure 
function that currently is only statically linked. 
This name is intentionally obscure. The four byte sequence occurs 
often in code. 

*/ 

void WINAPI SUVW() 
{ 

} / / SUVW 

/* function SecureGetProcAddress : 

DIY version of GetProcAddress, resists import table hooking by an 

attacker, and also resolves secure dynamic links 
With a little magic, calls to GetProcAddress in both VSInit and 

in other self -validating modules go here instead of to KERNEL32 ! 

GetProcAddress . 

*/ 

FARPROC WINAPI SecureGetProcAddress ( HMODULE hmodTarget, LPCSTR pProcNam 

e) 

{ 

// guard against a bogus pointer 

DWORD dwOrdinal = DWORD ( pProcName) ; // in case of an ordinal requ 

est 

if ( dwOrdinal > MAX_NORMAL_ORD I NAL ) { // if a string pointer 
const UINT_PTR B I GGE S T_P ROC_NAME = 256 ;// big enough? 
if ( MylsBadStringPointer ( pProcName, BIGGEST_PROC_NAME) ) { 
SetLastError ( E RRO R_ I N VAL I D_P ARAME T E R ) ; 

return 0 ; // error return 

I 

} // if pProcName is a string pointer 
#if 0 // testing only 

// trace all dynamic link calls 
char szSrcFileName [ MAX PATH] 

, szTrgFileName [ MAX_PATH] 

} 

GetCallerFileName ( * ( PDWORD ( ShmodTarget) -1), szSrcFileName) ; 
GetModuleFileName ( hmodTarget, szTrgFileName, MAX_PATH) ; 
if ( dwOrdinal <= MAX_NORMAL_ORD I NAL ) { 
LogSecError ( "%u %s to %s %u" 

, I NF 0_S E C URE_D YNAM I C_L I NK 

, szSrcFileName 

, szTrgFileName 

, dwOrdinal 



) ; 

} 

else { 

LogSecError ( "%u %s to %s %s" 

, I NF 0_S E C URE_D YNAM I C_L I NK 

, s zSrcFileName 

, szTrgFileName 

, pProcName 

) ; 

I 

#endif 

// look for a conventional import first 

FARPROC pfnResult = MyGetProcAddress ( hmodTarget, pProcName) ; 
// continue only if the lookup failed with a specific error code 
if ( pfnResult != 0) 

return pfnResult ; 
switch ( GetLastError () ) { 

case ERROR_PROC_NOT_FOUND : 

case E RRO R_ I N VAL I D_0 RD I N AL : 

break ; //it may be a secure API 

default : 

return 0 ; // error return 

} // switch on the error code 
/ / this may be a secure export 
// find the target module's block 

// GetProcAddressExp ensures the block is not stale. 

PVALIDATEDMODULE pValModCal lee = FindTableS lot ( hmodTarget, false) ; 
if ( pValModCallee ==0) { 

SetLast Error ( ERROR_MOD NOT FOUND ) ; 

return 0 ; // error return 

} 

// serialize access to the target module 

// We save the callee's module name first, so that we can use it in 
// error messages after releasing the module's block. We release 
// the module's block first, so that we can call GetModuleFileName 
// in those paths without risk of critical section deadlock. Get- 
// ModuleFileName requires the OS's LoaderLock critical section. 
EnterCrit icalSection ( &pValModCallee->cs ) ;// serialize access 
char szModNameCallee [ MAX_PATH] ; 

lstrcpy ( szModNameCallee, pValModCallee->pszName) ; 
// process a by-ordinal request 

if ( dwOrdinal <= MAX S ECURE ORD I NAL ) { // if an ordinal 

pfnResult = GetProcAddressExp ( pValModCallee, dwOrdinal, DWORD ( -1)) 

} 

LeaveCrit icalSection ( &pValModCallee->cs ) ; 

if ( pfnResult != 0) // if successful 

return pfnResult ; // return the function point 

er 

char szModNameCaller [ MAX_PATH] ; 
LogSecError ( "%u %s %s %u" 

, E RROR_S E CURE_D YN_L I NK_ORD 

, GetCallerFileName ( * ( PDWORD ( &hmodTarget) -1) 

, szModNameCaller 
) 

, szModNameCallee 
, dwOrdinal 
) ; 

SetLast Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // error return 

} // if pProcName is not a string pointer 
// import by name 

// search the target's secure export tables 
DWORD dwHashVal = HashString ( pProcName) ; 
if ( dwHashVal <= MAX_S ECURE_ORD I NAL ) { 

LeaveCrit icalSection ( &pValModCallee->cs ) ; 

char szModNameCaller [ MAX_PATH] ; 

LogSecError ( "%u %s %s %s %u" 

, E RRO R_S ECURE DYN LINK_HASH 



, GetCallerFileName ( * ( PDWORD ( &hmodTarget) -1) 

, szModNameCaller 
) 

, szModNameCallee 
, pProcName 
, dwHashVal 
) ; 

Set Last Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // error return 

} //if the name hashed to an embargoed ordinal 

pfnResult = GetProcAddressExp ( pValModCallee, dwHashVal, DWORD ( -1)) ; 
LeaveCrit icalSection ( &pValModCallee->cs ) ; 

if ( pfnResult != 0) // if successful 

return pfnResult ; // return the function point 

er 

char szModNameCaller [ MAX_PATH] ; 
LogSecError( "%u %s %s %s" 

, E RRO R_S E C URE_D YN L I NK_N AME 

, GetCallerFileName ( * ( PDWORD ( &hmodTarget) -1) 

, szModNameCaller 
) 

, szModNameCallee 
, pProcName 

) ; 

SetLast Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // error return 

} // SecureGetProcAddress 

// All functions below are private to this file 
/* function CompareDWORD : 

Comparison function used in our bsearch call 

*/ 

static int cdecl CompareDWORD ( const void *el, const void *e2) 

{ 

DWORD dwl = * PDWORD ( el) 
, dw2 = * PDWORD ( e2) 
} 

if ( dwl < dw2 ) return -1 ; 
if ( dwl > dw2 ) return 1 ; 
return 0 ; 
} // CompareDWORD 
/* function FindTableSlot : 

Find a matching slot in the table that tracks validated modules 
Several error conditions fault rather than return to the caller. 
Critical section csTable is held only inside this function, and is 
not held during any GetModuleXXX calls. 

*/ 

static P VAL I DATEDMODULE FindTableSlot ( HMODULE hmod, bool f Addl f Not Found 

) 

{ 

// convert 0 to the handle of the process 1 EXE 
if ( hmod == 0) { 

hmod = GetModuleHandle ( 0) ; 

if ( hmod == 0) 

LogSecFatal ( "%u %d", ERROR_SECURE_MODULE HANDLE_1 , GetLastError ( ) 

) ; 

} // if the caller wants the current EXE 

// find the file name 

char szFileName[ MAX PATH] ; 

DWORD dwSizeName = GetModuleFileName ( hmod, szFileName, MAX PATH) ; 

if ( dwSizeName ==0) { 
LogSecFatal ( "%u %X %d" 

, E RRO R_ S E C URE_MO D UL E_H AN D L E_2 

, hmod 

, GetLastError ( ) 

) ; 

} //if GetModuleFileName failed 

if ( dwSizeName >= MAX PATH) { //if name is too long 

szFileName [ MAX PATH - 1] = 0 ; // ensure a null terminator 



LogSecFatal ( "%u %s", ERROR_SECURE_FILE_NAME, s zFi leName ) ; 
} //if GetModuleFi leName failed 

// ensure the caller hasn't doctored Win32's copy of his file name, 
// in an attempt to trick us 

HMODULE hmodValidate = GetModuleHandle ( szFileName) ; 
if ( hmodValidate != hmod) { 
LogSecFatal ( "%u %s" 

, E RRO R_S E C URE B AD_MO D UL E_N AME 

, szFileName 

) ; 

} // if the module file name does not lead back to the right handle 
// hash the file name 

DWORD dwHashName = HashString ( szFileName) ; 

// serialize access to the table 

CCrit SecAutoRelease csAuto ( &csTable) ; 

// find the slot to use in the tables 

std: : mult imap<DWORD , PVALIDATEDMODULE> : : iterator iterValMod 

= pmapValMod->f ind ( dwHashName) ; 
if ( iterValMod != pmapValMod->end ( ) ) { 

if ( lstrcmpi ( iterValMod->second->pszName, szFileName) == 0) 

return iterValMod->second ; 
for ( iterValMod++ 

; iterValMod != pmapValMod->end ( ) 

&& iterValMod->second->dwHash — dwHashName 
; iterValMod++ 
) { 

if ( lstrcmpi ( iterValMod->second->ps zName, szFileName) == 0) 
return iterValMod->second ; 
} // check for hash synonyms, very unlikely 
} // if this hash is mapped 

// return empty handed if we weren't asked to add a new entry 
if ( fAddlf Not Found == false) 

return 0 ; 
// ensure there is a free slot 
if ( nbrModules >= MAX_MODULES) 

LogSecFatal ( "%u %s", ERROR_SECURE_VAL I DAT I ON_TABLE_FULL , szFileName 

) ; 

// allocate the new slot 

// The allocated string is never freed during the life of this process 

P VAL I DATEDMODULE pValModNew = pValModBase + nbrModules++ ; 
const DWORD dwSize = lstrlen ( szFileName) + 1 ; 
pValModNew->pszName = new char [ dwSize] ; 
if ( pValModNew->pszName == 0) 

LogSecFatal ( "%u %u", E RRO R_SE CURE NOT ENOUGH_MEMORY 3 , dwSize) ; 

lstrcpy ( pValModNew->pszName, szFileName) ; 
pValModNew->dwHash = dwHashName ; 

pmapValMod->insert ( std : : make_pair ( dwHashName, pValModNew) ) ; 
// save the block pointer for this DLL 

// This will let us skip the lookup and its critical section request 
// in the SUVW path, which may be useful, 
if ( g_hModThis == hmod) 

pValModThis = pValModNew ; 
// return the slot found 
return pValModNew ; 
} // FindTableSlot 

/* function FixupStat icLinkFunnel : 

Back patch a funnel so that it calls the desired code correctly 

and never again reaches here 
After we back patch, we adjust the stack and reexecute the patched 
instructions . 

Open: Validate the instructions we are patching to avoid mysterious 
failure modes. If we validate too carefully, we will lose 
the ability to recover from a partially applied patch. 
Fail cleanly for all errors. 

*/ 

static FARPROC WINAPI FixupStat icLinkFunnel ( PVAL I DATEDMODULE pValModNot 
Yet 



, PIMPORTTBL pTable 
) 

{ 

// retrieve forbidden fruit from the stack 

DWORD dwAddrFunnelRet = * ( P DWORD ( &pValModNot Yet ) - 1) ;// ret in th 
e funnel 

// find the caller's VAL I DATEDMODULE block 

// Since modules with secure exports must self-validate, this block 
// must exist. 

// The pValModNotYet pointer contains bogus data, since we have not 
// yet patched the caller. 
PVAL I DATEDMODULE pValModCal ler 

= ValidatedModuleFromCodeAddress ( PVOID ( dwAddrFunnelRet)) ; 
if ( pValModCaller ==0) // if no VAL I DATEDMODULE bio 

ck 

return 0 ; // bad things will happen 

// there is no harm if two threads race through this code, since 
// they do the same things to the same addresses (except, of course, 
// to the stack return address, which is unique in each thread) 
// change the funnel to push the VAL I DATEDMODULE block 
PatchDWord( dwAddrFunnelRet - 9, DWORD ( pValModCaller) ) ; 
// change the funnel to call ResolveSt at icLink instead of here 
PatchDWord( dwAddrFunnelRet - 4 

, DWORD ( ResolveStaticLink) - dwAddrFunnelRet 

) ; 

// change the return address in the stack to rerun the patched 
// instructions 

* ( PDWORD ( &pValModNotYet) - 1) = dwAddrFunnelRet - 15 ; 
// return to the chosen point 
// The return code is ignored, 
return 0 ; 
} // FixupStat icLinkFunnel 
/* function GetCallerFileName : 

Derive the module file name from the caller's return address 

We return a pointer to the result, for his convenience. In case of 

error, the result may be a constant string. 
We assume the size of the caller's buffer is least MAX_PATH . 

*/ 

static const char * GetCallerFileName ( DWORD dwRetAddr 

, char * pszModNameCaller 
) 

{ 

HMODULE hmodCaller = HModuleFromCodeAddress ( PVOID ( dwRetAddr)) ; 

if ( hmodCaller ==0) // if bogus return address 

return szUnknown ; // error return 

DWORD dwSize = GetModuleFileName ( hmodCaller, pszModNameCaller, MAX_PA 
TH) ; 

if ( dwSize >= MAX_PATH) // if file name is too big 

return szUnknown ; // error return 

return pszModNameCaller ; 
} // GetCallerFileName 
/* function GetProcAddressExp : 

Return a function's address after validating the caller 
We assume the caller holds this block's critical section. 
Open: Should this function be in a class to reduce the pValMod-> 
usage? 

*/ 

static FARPROC GetProcAddressExp ( PVAL I DATEDMODULE pValMod 

, DWORD dwHash 
, DWORD dwHint 
) 

{ 

// ensure the pValMod pointer is still valid 
if ( IsModulePatched ( pValMod) == false) { 
LogSecError( "%u %s %X %d" 

, ERROR_SECURE_BAD_LINK_l 

, pValMod->pszName 

, dwHash 



, dwHint 

) ; 

SetLast Error ( ERROR_MOD_NOT FOUND ) ; 

return 0 ; // return empty handed 

} 

// first try the hint, then do a binary search if necessary 
// The hint is an impossible value (-1) for a dynamic link. 
DWORD ndxExport ; 

if ( dwHint < pValMod->nbrExport s 

&& pValMod->pdwHashExport s [ dwHint] == dwHash) { 
ndxExport = dwHint ; 

I 

else { // if the hint did not help 

PVOID pvFound = bsearch ( &dwHash 

, pValMod->pdwHashExport s 
, pValMod->nbrExport s 
, sizeof ( DWORD) 
, CompareDWORD 

) ; 

if ( pvFound ==0) { 

LogSecError( "%u %s %X %d" 

, E RRO R_S E C URE_B AD_L I NK_2 
, pValMod->ps zName 
, dwHash 
, dwHint 
) ; 

Set Last Error ( ERROR_PROC_NOT_FOUND ) ; 

return 0 ; // return empty handed 

} 

ndxExport = PDWORD ( pvFound) - pValMod->pdwHashExport s ; 
} // if the hint did not help 
#if 0 // testing only 

// trace all resolved links 
LogSecError ( "%u %s %X %d %X + %X" 

, I NF 0_S ECURE_RE S OLVE D_L I NK 
, pValMod->ps zName 
, dwHash 
, dwHint 

, pValMod->dwModBaseAddr 

, pValMod->pdwRVAExport s [ ndxExport] 

) ; 

tendif 

return FARPROC ( pValMod->dwModBaseAddr + pValMod->pdwRVAExport s [ ndxEx 
port] ) ; 

} // GetProcAddressExp 

/* function Get SizeOf Pushlnstruct ion : 

Validate the format of a PUSH instruction, and return its size in byt 

es 

The size is 2 for a short push, 5 for a long push. 

The function does not return if the instruction is invalid. 

*/ 

static int Get SizeOf Pushlnstruct ion ( DWORD dwPushed 

, DWORD dwAddrAf terPush 

, P VAL I DATEDMODULE pValMod 

) 



{ 



// Note that an alias cannot occur, since it would be of the form 

// 6 8 . xx . yy . 6A . z z , where zz.6A.yy.xx, cast as a signed value, was 

// between -128 and 127. 

LONG lPushed = LONG ( dwPushed) ; 

// try a short push first 

if ( lPushed >= -128 && lPushed <= 127) { 
const DWORD sizePush = 2 ; 

DWORD dwAddrPush = dwAddrAf terPush - sizePush ; 
PBYTE pblnst = PBYTE ( dwAddrPush) ; 
if ( IsBadReadPtr ( pblnst, sizePush)) { 
LogSecFatal ( "%u %s %X + %X" 

, ERROR_SECURE_BAD_PUSH_l 



, pValMod->ps zName 

, pValMod->dwModBaseAddr 

, ciwAddrPush - pValMod->dwMociBaseAddr 

) ; 

} // if not a valid short push 

if ( pblnst [ 0] != 0x6a || pblnst [ 1] != BYTE ( dwPushed & Oxf f ) ) 

{ 

LogSecFatal ( "%u %s %X + %X %2.2X %2.2X" 
, E RRO R_S E C URE_B AD_P U S H_2 
, pValMod->pszName 
, pValMod->dwModBaseAddr 
, dwAddrPush - pValMod->dwModBaseAddr 
, pblnst [ 0] 
, pblnst [ 1 ] 

) ; 

} // if not a valid short push 

// return the size to the caller 

return sizePush ; 
} // if a short push 
// must be a long push 
const DWORD sizePush = 5 ; 

DWORD dwAddrPush = dwAddrAf terPush - sizePush ; 
PBYTE pblnst = PBYTE ( dwAddrPush) ; 
if ( IsBadReadPtr ( pblnst, sizePush)) { 
LogSecFatal ( "%u %s %X + %X" 

, E RRO R_S E CURE BAD P U S H_3 

, pValMod->ps zName 

, pValMod->dwModBaseAddr 

, dwAddrPush - pValMod->dwModBaseAddr 

) ; 

} // if not a valid long push 

if ( pblnst [ 0] != 0x68 || * PDWORD ( pblnst + 1) != dwPushed) { 
LogSecFatal ( "%u %s %X + %X %2 . 2X %2.2X %2.2X %2.2X %2.2X" 
, E RRO R_S E C URE_B AD_P U S H_4 
, pValMod->ps zName 
, pValMod->dwModBaseAddr 
, dwAddrPush - pValMod->dwModBaseAddr 
, pblnst [ 0], pblnst [ 1], pblnst [ 2], pblnst [ 3] 
, pblnst [ 4] 

) ; 

} // if not a valid long push 

// return the size to the caller 

return sizePush ; 
} // GetSizeOf Pushlnstruct ion 
/* function HashString: 

Hash a null-terminated string to a DWORD 

We currently use CRC-32 . If we change the algorithm, we must make 
the same change to the hasher in SecurePE.exe, and modules using 
the old hasher will not work with those using the new hasher. 

The caller is responsible for ensuring all bytes of the string, 
including the null terminator, are accessible. 

*/ 

static DWORD HashString ( LPCSTR pszString) 
{ 

// hash the function name 

DWORD dwHash = Oxffffffff ; // initial value 

PBYTE pb ; // byte stream input 

for ( pb = PBYTE ( pszString) ; *pb != 0 ; pb+-H) { 
dwHash = ( ( dwHash >> 8) & OxOOffffff) 

A pCRCTable [ ( dwHash A *pb) & Oxff] ; 

} 

return dwHash ^ Oxffffffff ; // final transformation 

} // HashString 
/* function I sModulePat ched : 

Has a self-validated module been patched? 

Among the uses of this function is to check if a validated module 
has been unloaded and reloaded, whether at the same address or a 
different one. 



We assume the caller holds this block's critical section. 

*/ 

static bool I sModulePatched ( PVALIDATEDMODULE pValMod) 
{ 

// exit early if we haven't even stuffed our table yet 
if ( pValMod->dwAddrSecureStat icLink == 0) 
return false ; 

// guard all the code, since we don't know what we'll find if our 
// information is stale 

try { // try / except 

// ensure the code addresses we are about to inspect are readable 
// This test is technically superfluous, since the SEH block 
// will properly handle stale values. We added the test on 
// 24Dec2003 for Scott, Sky and the AV team, since they have 
// configured the debugger to break on all first chance 
// exceptions, and this exception got in their way. 
// The test is not airtight, but it should catch most real world 
// cases when the old patch target is no longer addressable, 
if ( HModuleFromCodeAddress ( PVOID ( pValMod->dwAddrSecureSt at icLink 
+ 4 ) ) 

!= HMODULE ( pValMod->dwModBaseAddr) ) { 
return false ; 

} 

// check for a near JMP 

if ( * PBYTE ( pValMod->dwAddrSecureStat icLink) != 0xe9) 

return false ; // not what we expected 

// check for the right relative jump offset 
DWORD dwExpected = DWORD ( &FixupSt at icLinkFunnel ) 

- ( pValMod->dwAddrSecureStat icLink + 5) 
} 

if ( * PDWORD ( pValMod->dwAddrSecureStaticLink +1) != dwExpected) 
return false ; // not what we expected 

} // try 

except ( EXCEPT I ON_EXECUTE_HANDLER) { 

// our pointers must be bogus 

// Reset some of the stale information. 

pValMod->dwModBaseAddr = 0 ; 

pValMod->dwAddrSecureStat icLink = 0 ; 

pValMod->noPatch . clear ( ) ; 

if ( pValMod->pDynLink != 0) { 

psetDynLink->erase ( pValMod->pDynLink) ;// stop tracking it 
delete pValMod->pDynLink ; 
pValMod->pDynLink = 0 ; 
} // if there is a dynamic link hook 
// return an error to the caller 
return false ; 

} // except 

// successful return 
return true ; 
} // IsModulePatched 
/* function My I sBadSt r ingPointer : 

Validate a string pointer to avoid faults when the OS is not 

sufficiently defensive 
In Win2K, I sBadSt ringPt r tests only the first and last bytes. 
For a string shorter than a full page (4096 bytes), this test 
is almost good enough. It still does not handle the case of a 
long run of nonzero characters. 
For a faster technique, we could read every 4096th byte, then stuff 
a 0 in the last byte in the typical case when none of the bytes 
tested is 0. But the 0 stuff may unintentionally corrupt other 
data . 

*/ 

static bool MylsBadStringPointer ( LPCTSTR lpsz, UINT_PTR ucchMax) 
{ 

try { 

if ( memchr ( lpsz, 0, ucchMax) != 0) // if null terminator found 

return false ; // the string is good 

I // try 



except ( EXCEPTION EXECUTE HANDLER) { 

} // except 

// either we did not find a null terminator soon enough, or we faulted 
// on a memory access 

return true ; // the string is bad 

} // MylsBadStringPointer 
/* function newDYNLINK: 
Construct a new object 

This silly function avoids compiler error C2712 when we compile with 
the -GX option. 

*/ 

Static DYNLINK * newDYNLINK ( ) 
{ 

return new DYNLINK ; 
} // newDYNLINK 

/* function ParseSecureExport s : 
Parse the secure export table 

This function is called after a successful self-validation. 

*/ 

static bool ParseSecureExport s ( P VAL I DATEDMODULE pValMod) 
{ 

// point to the module base 

PBYTE pbMod = PBYTE ( pValMod->dwModBaseAddr ) ; 
// parse the secure export directory 

// Relocate the function RVAs and save pointers to the table, 
bool fResult = false ; // assume failure 

try { // try / except 

// find the export directory in this module file 

P IMAGE DOS HEADER pHdrDOS = P IMAGE DOS HEADER ( pbMod) ; 

if ( pHdrDOS->e_magic != f ZM') 

return false ; // error return 

P IMAGE NT HEADERS 32 pHdrNT 

= P IMAGE_NT_HEADERS 3 2 ( pbMod + pHdrDOS->e_l f anew) ; 
if ( pHdrNT->Signature 1= ' EP ' ) 

return false ; // error return 

if ( pHdrNT->FileHeader .Machine != IMAGE_FILE_MACHINE_I 3 8 6) 

return false ; // error return 

if ( ( pHdrNT->FileHeader .Characteristics & IMAGE_F I LE_EXECUTABLE_IM 

AGE) 

==0) { 

return false ; // error return 

} 

if ( pHdrNT->OptionalHeader .Magic != IMAGE NT OPTIONAL HDR32_MAGIC ) 

return false ; // error return 

P IMAGE D AT A_D I RECTORY pDirExport 

= pHdrNT->OptionalHeader . Dat aDirect ory + IMAGE_D IRECTORY ENTRY_EXP 

ORT ; 

// does this module have an export directory? 
// ZAPro.exe and IClient.exe do not. 

if ( pDirExport->VirtualAddress ==0 | | pDirExport->Si ze == 0) 
return false ; 

// the secure export directory immediately follows the regular one 
// Open: Should we add a validation field to the header? 
PDWORD pdwNbrExports = PDWORD ( pbMod 

+ pDirExport->VirtualAddress 

+ pDirExport->Si ze 

) ; 

pValMod->nbrExport s = *pdwNbrExports ; 

PDWORD pdwSignature = pdwNbrExports + 1 + pValMod->nbrExport s * 2 ; 
if ( ^pdwSignature != ( pValMod->nbrExport s A 0x5aa5a55a) * dwLargeP 
rime ) 

return false ; // if the signature is not v 

alid 

pValMod->pdwRVAExport s = pdwNbrExports + 1 ; 

pValMod->pdwHashExports = pValMod->pdwRVAExport s + pValMod->nbrExpor 

ts ; 

// successful return 
fResult = true ; 



} // try 

except ( EXCEPTION EXECUTE HANDLER) { 

} // except 

// return to the caller 
return fResult ; 
} // ParseSecureExport s 
/* function SecureLoadLibrary : 

Load a module with secure exports, and return its P VAL I DATEDMODULE 
block 

*/ 

static PVAL I DATEDMODULE WINAPI SecureLoadLibrary ( LPCSTR lpFileName) 
{ 

// load the module 

// Since we usually have an unqualified file name, we don't know the 
// full path name until after the load succeeds. 
HMODULE hmod = LoadLibrary ( lpFileName) ; 
if ( hmod == 0) 

return 0 ; 
// find the PVAL I DATEDMODULE block 

// Since modules with secure exports must self-validate, this block 
// must exist. 

return FindTableSlot ( hmod, false) ; 
} // SecureLoadLibrary 

/* function SetTheGetProcAddressHook : 

Hook the address in the caller's import table 

We find KERNEL32.dll in the import directory, then GetProcAddress 
in the import lookup table, then the desired address at the matching 
offset in the import address table. This technique supports a prior 
GetProcAddress hook by another program. 

Since we support prior hooking of GetProcAddress, we need a place to 
save the prior address. So we allocate memory. But then the hook 
needs to find that memory. So we provide it as an argument to the 
hook. We put the code that does this in the allocated memory. 

The problem with allocating is that we can leak process memory. We 
associate memory with a DLL, but we don't know when that DLL is 
unloaded. If the EXE repeatedly bounces the DLL, we will accumulate 
memory for the DLL. We could map the memory by the module name, as 
we do for the VAL I DATEDMODULE control blocks, but the application 
can trick us by loading each new copy with a temporary file name, as 
the Wise Installer does. Also, using a table structure, or links 
among control blocks, requires serialization calls to avoid 
threading problems. We may try hooking the DLL's DLL_PROCESS_ 
DETACH, but then we must somehow guarantee that VSInit.dll is not 
unloaded first. 

One advantage of allocating is that this creates an opportunity 
in the future to add a validation field, to make it harder for 
an attacker to gain access to all our secured dynamic links. 
Open: For modules that have just been through ParseSecureExport s , 
the validation here is redundant. 
Consider adding unique log calls in each error path. 

*/ 

static PDYNLINK SetTheGetProcAddressHook ( HMODULE hmod) 
{ 

// get the module file name early, so that we can use a private 
// critical section later without worrying about deadlock 
// See the file prolog for more information about deadlock risks, 
char szFileName[ MAX PATH] ; 

DWORD dwSizeName = GetModuleFileName ( hmod, szFileName, MAX_PATH) ; 
if ( dwSizeName ==0) { 
LogSecFatal ( "%u %X %d" 

, ERROR_SECURE_MODULE HANDLE_3 

, hmod 

, GetLastError ( ) 

) ; 

} //if GetModuleFileName failed 

if ( dwSizeName >= MAX_PATH) { //if name is too long 

szFileName [ MAX PATH - 1] = 0 ; // ensure a null terminator 

LogSecFatal ( "%u %s", ERROR_DYNLINK FILE NAME , szFileName) ; 



} //if GetModuleFileName failed 

// we protect this access in case we have a bogus module handle 
// The success of the call above makes a bogus module handle very 
// unlikely. 

PDWORD pdwIAT ; // import address table 

PFNGETPROCADDRESS pGetProcAddress ; // pointer before we patch 

int ndxGetProcAddress ; // index in import lookup ta 

ble 

try { // try / catch 

// point to the module base 
PBYTE pbMod = PBYTE ( hmod) ; 

// find the import directory in this module file 

P IMAGE DOS HEADER pHdrDOS = P IMAGE DOS HEADER ( pbMod) ; 

if ( pHdrDOS->e_magic != f ZM') 

return 0 ; // error return 

P IMAGE NT HEADERS 3 2 pHdrNT 

= PIMAGE_NT_HEADERS32 ( pbMod + pHdrDOS->e_l f anew) ; 
if ( pHdrNT->Signature != ' EP 1 ) 

return 0 ; // error return 

if ( pHdrNT->FileHeader .Machine != IMAGE_FILE_MACHINE_I 3 8 6) 

return 0 ; // error return 

if ( ( pHdrNT->FileHeader .Characteristics & IMAGE_F I LE_EXECUTABLE_IM 

AGE) 

== 0) { 

return 0 ; // error return 

I 

if ( pHdrNT->OptionalHeader .Magic != IMAGE NT OPTIONAL HDR32_MAGIC ) 

return 0 ; // error return 

PIMAGE_DATA_D I RECTORY pDirlmport 

= pHdrNT->Opt ionalHeader . DataDirectory + I MAG E D I RE C T O R Y E N T R Y_ IMP 



ORT 



) 



// does this module have an import directory? 

// Since every module of interest does, we probably can remove this 
// test. 

if ( pDir Import->VirtualAddress == 0 | | pDir Import->Si ze == 0) 
return 0 ; 

// find the import descriptor for KERNEL32.dll 

// We could consider using pDir Import->Si ze to bound the loop, but 
// the documentation claims the array is terminated by an entry 
// of all zeroes. 

PIMAGE_IMPORT_DESCRIPTOR plmportDescript or ; 
for ( plmportDescriptor 

= PIMAGE_IMPORT_DESCRIPTOR( pbMod + pDir Import->VirtualAddress 



; pImportDescriptor->Name != 0 

&& lstrcmpi ( PSTR( pbMod + plmportDescript or->Name ) , szKernel 

32) != 0 

; pImportDescriptor++ 
) { 

} // loop until we find the KERNEL32.dll import descriptor 

if ( pImportDescriptor->Name ==0) //if KERNEL32.dll not found 

return 0 ; // error return 

// search the KERNEL32 import lookup table for GetProcAddress 
PDWORD pdwLookup ; 

for ( pdwLookup = PDWORD ( pbMod + pImportDescriptor->OriginalFirstTh 

unk) 

, ndxGetProcAddress = 0 
; *pdwLookup != 0 
; pdwLookup++ 

, ndxGetProcAddress-H + 
) { 

// we expect an import by name 

if ( ( *pdwLookup & IMAGE_ORDINAL_FLAG32) != 0) 

continue ; //if import by ordinal 

/ / compare the name, which comes after the hint 
if ( lstrcmp( PSTR( pbMod + *pdwLookup + sizeof ( WORD)) 

, szGetProcAddress 

) == 0) { 



break ; 

} // if the desired function 
} // loop until we find the GetProcAddress slot 

if ( *pdwLookup ==0) //if GetProcAddress not fou 

nd 

return 0 ; // error return 

// save the address of the caller's GetProcAddress 
pdwIAT = PDWORD ( pbMod + plmportDescript or->First Thunk ) ; 
pGetProcAddress = PFNGETPROCADDRESS ( pdwIAT [ ndxGetProcAddres s ] ) ; 
// is this module's GetProcAddress call already hooked by us? 
// This call, for a secured export in VSInit, succeeds only if 
// the module's GetProcAddress call is already hooked. 
// Do not hold any private critical sections during this call, 
// since the call will reach FindTableSlot if the module's 
// GetProcAddress is already hooked, and that function calls 
// GetModuleFileName . 

if ( pGetProcAddress ( g_hModThis, s zDummy Import ) ) 
return 0 ; 
} // try 
catch (...) { 

return 0 ; 
} // catch 

// now serialize access to avoid a race between two threads to 
// hook the same DLL 

// Since we don't have a control block just for this module we use 
// a critical section for the entire process. 

// We can't use our CCrit SecAutoRelease class here without breaking 
// up this function, since MSVC does not allow SEH to coexist with 
// objects requiring destruction (warning C4509). 
EnterCrit icalSection ( &csDynLinkHook) ; 
// bail out if another thread has just set the hook 
// We ignore the case where a program other than ours races to 
// set the hook. We blithely assume that is a very rare event, 
if ( pGetProcAddress != PFNGETPROCADDRESS ( pdwIAT [ ndxGetProcAddress ] ) 
) { 

LeaveCrit icalSection ( &csDynLinkHook) ; 

return 0 ; // bail out 

I 

// allocate a block for this hook 
PDYNLINK pDynLink = newDYNLINK ( ) ; 
pDynLink->pGetProcAddress = pGetProcAddress ; 
const DWORD dwSize = dwSizeName + 1 ; 
pDynLink->ps zName = new char [ dwSize] ; 
if ( pDynLink->ps zName == 0) 

LogSecFatal ( "%u %u", ERROR_SECURE NOT ENOUGH_MEMORY 3 , dwSize) ; 

lstrcpy ( pDynLink->pszName, szFileName) ; 

pDynLink->hmod = hmod ; // module handle 

// finish building our hook 

// The hook pops the return address, pushes the address of the 
// DYNLINK block, pushes the return address back, then jumps to 
// the common hook. 

* PDWORD ( pDynLink->bHookGetProcAddress + 2) = DWORD ( pDynLink) ; 

* PDWORD ( pDynLink->bHookGetProcAddress + 8) 

= DWORD ( ResolveDynamicLink) - DWORD ( pDynLink->bHookGetProcAddress 
+ 12) ; 

// point the IAT to our hook 

pDynLink->pdwPatchTarget = pdwIAT + ndxGetProcAddress ; 
PatchDWord( DWORD ( pDynLink->pdwPat chTarget ) 

, DWORD ( pDynLink->bHookGetProcAddress) 

) ; 

// insert the block into the tracking set 
psetDynLink->insert ( pDynLink) ; 
// return to the caller 

LeaveCrit icalSection ( &csDynLinkHook) ; 

return pDynLink ; 
} // SetTheGetProcAddressHook 
/* function TerminateSecureAP I : 
Destructor 



Free the constructor's allocations, to avoid memory leaks. 

*/ 

static void cdecl TerminateSecureAPI ( ) 

{ 

// validated modules 

// We delete these before the dynamic link hooks, since these 
// destructors delete some elements of psetDynLink. 
if ( pmapValMod != 0) { 

// free the dynamic allocations in each block 

std: : mult imap<DWORD, PVALIDATEDMODULE> :: iterator iterValMod ; 
for ( iterValMod = pmapValMod->begin ( ) 

; iterValMod != pmapValMod->end ( ) 

; iterValMod++ 

) { 

if ( iterValMod->second->ps zName != 0)// if there is a file name 
delete [] iterValMod->second->pszName ;// delete the name 

if ( iterValMod->second->pDynLink != 0) { 

psetDynLink->erase ( iterValMod->second->pDynLink) ;// stop track 

ing it 

delete iterValMod->second->pDynLink ; 
iterValMod->second->pDynLink = 0 ; 
} // if there is a dynamic link hook 
} // loop once for each dynamic link hook 
// empty the map 
pmapValMod->clear ( ) ; 
// destroy the map 
delete pmapValMod ; 
} //if pmapValMod was allocated 
// dynamic link hooks 
if ( psetDynLink != 0) { 

// loop until the dynamic link set is empty 
std :: set<PDYNLINK> :: iterator iterDynLink ; 
for ( iterDynLink = psetDynLink->begin ( ) 
; iterDynLink != psetDynLink->end ( ) 
; iterDynLink = psetDynLink->begin ( ) 
) { 

PDYNLINK pDynLinkToDelete = ^iterDynLink ; 

UndoTheGetProcAddressHook ( pDynLinkToDelete) ;// unhook GetProcAdd 

ress 

psetDynLink->erase ( iterDynLink) ; // remove from the set 

delete pDynLinkToDelete ; // delete the block 

} // loop once for each dynamic link hook 
// destroy the set 
delete psetDynLink ; 
} // if psetDynLink was allocated 
// destroy the critical sections 
DeleteCriticalSect ion ( &csTable) ; 
DeleteCrit icalSect ion ( &csDynLinkHook) ; 
// free the CRC table 
if ( pCRCTable != 0) 

HeapFree ( GetProcessHeap () , 0, pCRCTable) ; 
} // TerminateSecureAPI 

/* function UndoTheGetProcAddressHook: 

Restore the address in the caller's import table 

*/ 

static bool UndoTheGetProcAddressHook ( const DYNLINK * pDynLink) 
{ 

// validate the module handle and file name 
char szFileName[ MAX PATH] ; 

DWORD dwSizeName = GetModuleFileName ( pDynLink->hmod, szFileName, MAX_ 
PATH) ; 

if ( dwSizeName ==0 | | dwSizeName >= MAX_PATH) 

return false ; 
if ( lstrcmpi ( szFileName, pDynLink->ps zName ) != 0) 

return false ; 
// validate the current import table contents 

// If someone else hooked the value after us, we do not restore the 
// original value. If that other hook calls us after we unload, the 



// application will fault. 

HMODULE hmodValidate = HModuleFromCode Address ( pDynLink->pdwPat chTarge 
t) ; 

if ( hmodValidate != pDynLink->hmod) 
return false ; 

if ( * ( pDynLink->pdwPatchTarget ) != DWORD ( pDynLink->bHookGetProcAdd 
ress) ) 

return false ; 
// restore the original address 
PatchDWord( DWORD ( pDynLink->pdwPat chTarget ) 
, DWORD ( pDynLink->pGetProcAddress) 

) ; 

// return to the caller 

return true ; 
} // UndoTheGetProcAddressHook 
/* function ValidatedModuleFromCodeAddress : 
Derive a control block pointer 

Open: Validate the control block, including whether the caller's 
code address is within the .text section. 

*/ 

static P VAL I DATEDMODULE ValidatedModuleFromCodeAddress ( PVOID pvAddr) 
{ 

// find the caller's module handle 

HMODULE hmod = HModuleFromCodeAddres s ( pvAddr) ; 

if ( hmod == 0) //if no module handle 

return 0 ; // error return 

// find the caller's VAL I DATEDMODULE block 
return FindTableSlot ( hmod, false) ; 
} // ValidatedModuleFromCodeAddress 
/* function I f Validat ionSucceeded : 

Validate the module that raised the exception 

*/ 

bool IfValidationSucceeded ( PVALIDATESELF pvalSelf) 
{ 

// get the module handle 

HMODULE hmod = HModuleFromCodeAddres s ( pvalSelf->EIP InCaller ); 
if ( hmod — 0 ) 

return false; 
// validate the requested module 

// The call returns only if validation succeeds. 

return IsModuleValid ( hmod, pvalSelf ); 
} // IfValidationSucceeded 
// SecureError . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File SecureError . cpp : 

Report errors related to module validation or secure API 

*/ 

// Pre-compiled header files, must come first 

#include "VSInit_pch . h" 

#pragma hdrstop 

// Compiler header files 

f include <tchar.h> 

finclude <stdio.h> 

^include <stdarg.h> 

// Application header files 

finclude <vsinit.h> 

finclude " vsinit_int . h" 

// Constants 

const char szPfx[] = "[SAPI] " // stands for Secure API 

, szSfx[] = "\n" // terminate the line 

} 

/ / Local data 

static DWORD ndxTLS = TLS_OUT_OF_INDEXES ; // index of thread local sto 
rage 

// Local functions 

static void LogSecCommon ( va_list * pmarker, const char * fmt, DWORD dwL 
ogFlag ) ; 

static bool My I sBadSt ringPointer ( LPCTSTR lpsz, UINT_PTR ucchMax) ; 



static void cdecl TerminateSecureErrorLogging ( ) ; 

/* function EnableSecureErrorLogging : 

Set logging on or off for the current thread 

*/ 

void EnableSecureErrorLogging ( DWORD dwLogFlag) 
{ 

// set the value 

if ( ndxTLS != TLS_OUT_OF_INDEXES ) 

TlsSetValue( ndxTLS, PVOID ( dwLogFlag)) ; 
} // EnableSecureErrorLogging 
/* function Init iali zeSecureErrorLogging : 
Allocate resources 

*/ 

bool Init iali zeSecureErrorLogging () 
{ 

// specify the termination function 
atexit ( TerminateSecureErrorLogging) ; 
// allocate the thread local storage index 
ndxTLS = TlsAllocO ; 

if ( ndxTLS == TLS_OUT_OF_INDEXES ) 

return false ; 
// the value is initially true 
TlsSetValue( ndxTLS, PVOID ( true)) ; 
// successful return 
return true ; 
} // InitializeSecureErrorLogging 
/* function LogSecError: 
Write error information 

*/ 

void cdecl LogSecError ( const char * fmt, . ..) 

I 

// exit early if logging is disabled 
DWORD dwLogFlag = SAPI_LOG_TVDEBUG; 
if ( ndxTLS != TLS_OUT_OF_INDEXES 

&& (dwLogFlag = (DWORD) TlsGetValue ( ndxTLS)) == SAP I_LOG_NONE 

&& GetLastError ( ) == NO_ERROR) { 
return ; 

} // if error logging is disabled 
// prepare the argument list 
va_list marker ; 
va_start ( marker, fmt) ; 
// do the common work 

LogSecCommon ( &marker, fmt, dwLogFlag) ; 
} // LogSecError 
/* function LogSecFatal : 

Write error information and die 

*/ 

declspec ( noreturn) 

void cdecl LogSecFatal ( const char * fmt, . ..) 

{ 

// prepare the argument list 
va_list marker ; 
va_start ( marker, fmt) ; 
// do the common work 

LogSecCommon ( &marker, fmt, SAP I_LOG_EVENTLOG) ; 

DbgPrintfEx( ODF_ALWAYS | ODF_ODS | ODF STACKTRACE, "%sFatal error\n", 

szPfx) ; 

unsigned int dumpFlags = GetEnvironment Int ( " tvdumpf lags " , 0) ; 
if ( ( dumpFlags & TVDUMP_SECOND_CHANCE ) != 0) { 
char zLogDir [ MAX_PATH] ; 

Get InternetLogsDirectoryEx ( zLogDir, sizeof zLogDir) ; 
// this isn't a second chance exception, but we want to go through 
// that path's impersonation restore 
WriteMemoryDump ( dump_second_chance 
, GetCurrentProcessId ( ) 
, ( dumpFlags & TVDUMP_FULL) ? FULL_DUMP : S MAL L_D UMP 
, NULL 
, zLogDir 



) ; 

} // if a dump was requested 
// die a horrible death 

// ExitProcess is rarely used in our code. We may need to replace it 
// with something more suitable. 
ExitProcess ( 1) ; 
} // LogSecFatal 

// All functions below are private to this file 
/* function LogSecCommon : 

Processing common to both public functions 

*/ 

static void LogSecCommon ( va_list * pmarker, const char * fmt, DWORD dwL 

ogFlag ) 

{ 

// limit the buffer 
const int bufSize = 1024 

, lenPfx = sizeof szPfx - sizeof szPfx [ 0] 

, lenSfx = sizeof szSfx - sizeof szSfx [ 0] 

, bufLeft = bufSize - lenPfx - lenSfx 

} 

char szBuf [ bufSize] ; 

// write the prefix 

memcpy ( szBuf, szPfx, lenPfx) ; 

char * pszBuf = szBuf + lenPfx ; 

// guard against a sloppy caller 

// The caller should validate the string pointers he sends us, 
// since we cannot easily do this, 
const UINT_PTR MAX FMT S T R I NG = 1024 ; 

if ( MylsBadStringPointer ( fmt, MAX FMT STRING) ) { 

LogSecError ( "%u", ERROR_SECURE BAD LOG_FORMAT ) ; 

return ; 

} 

// write the body of the message 

int count = _vsnprintf ( pszBuf , bufLeft, fmt, *pmarker) ; 
if ( count == -1 ) 

count = _strncnt ( pszBuf, bufLeft) ; 
count += lenPfx ; 
// append the suffix 
strcpy ( szBuf + count, szSfx) ; 
// log the message 

if ( dwLogFlag == SAP I_LOG_EVENTLOG) 
{ 

LPCTSTR pStrings[] = { szBuf }; 
VSReportEventID ( 

EVENTLOG_ERROR_TYPE, 

EVENT_SECURE_AP I , 

elementsof (pStrings) , 

pStrings ) ; 

I 

else if ( dwLogFlag == SAPI_LOG_TVDEBUG) 
DbgOutput ( ODF_ALWAYS | ODF_ODS, count + lenSfx, szBuf) ; 
#ifdef _DEBUG 
else 

DbgPrintfEx( ODF_ALWAYS | ODF ODS | ODF_STACKTRACE , "LogSecCommon invalid 1 

og flags \n" ) ; 
tendif 

} // LogSecCommon 

/* function MylsBadStringPointer: 

Validate a string pointer to avoid faults when the OS is not 

sufficiently defensive 
In Win2K, I sBadSt ringPt r tests only the first and last bytes. 

For a string shorter than a full page (4096 bytes), this test 

is almost good enough. It still does not handle the case of a 

long run of nonzero characters. 
For a faster technique, we could read every 4096th byte, then stuff 

a 0 in the last byte in the typical case when none of the bytes 

tested is 0. But the 0 stuff may unintentionally corrupt other 

data . 



*/ 

static bool MylsBadStringPointer ( LPCTSTR lpsz, UINT_PTR ucchMax) 
{ 

try { 

if ( memchr ( lpsz, 0, ucchMax) != 0) // if null terminator found 

return false ; // the string is good 

I // try 

except ( EXCEPT ION_EXECUTE_HANDLER) { 

} // except 

// either we did not find a null terminator soon enough, or we faulted 
// on a memory access 

return true ; // the string is bad 

} // MylsBadStringPointer 

/* function TerminateSecureErrorLogging : 
Release resources 

*/ 

static void cdecl TerminateSecureErrorLogging ( ) 

{ 

if ( ndxTLS != TLS_OUT_OF_INDEXES ) 
TlsFree ( ndxTLS) ; 
} // TerminateSecureErrorLogging 
// ValidatePEFile . cpp 

// Copyright (c) 2004. Zone Labs, LLC All Rights Reserved. 
/* File ValidatePEFile . cpp : 

Validate the code signature and signing organization of a PE file 

*/ 

// Pre-compiled header files, must come first 

finclude "VSInit_pch . h" 

#pragma hdrstop 

// Windows header files 

^include <wincrypt.h> 

^include <wintrust.h> 

// Application header files 

# include <VSInit . h> 

#include "VSInit_int .h" 

// Local class to save signature parse information 

class CASNlBERNode 

{ 

public : 

CASNlBERNode ( ) ; 
-CASNlBERNode ( ) ; 

class CASNlBERNode * m_Next Sibling ; 

class CASNlBERNode * m_FirstChild ; 

class CASNlBERNode * m_Parent ; 

DWORD m_Length ; 

DWORD m_LenHdr ; 

PBYTE m_RawData ; 

DWORD m_Tag ; 

BYTE m_RawTag ; 

DWORD m_NbrChildren ; 

} ; // class CASNlBERNode 
// Universal types 

tdefine ASN_TYPE_INTEGER 2 

tdefine ASN TYPE BITS 3 

fdefine ASN_TYPE_OCTET STRING 4 
fdefine ASN_TYPE_NULL 5 
tdefine ASN_TYPE_OID 6 

tdefine ASN_TYPE PRINTABLE STRING 19 

tdefine ASN_TYPE_T6 1 STRING 20 
// Macros 

#define RoundUp (X, Y) (((X) + (Y) - 1) & ~((Y)-1))// assumes Y = 2^n 
#define IsOID(a,b) ( (a) ->m_RawTag == ASN_TYPE_OID \ 

&& (a) ->m_Length == sizeof (b) \ 

&& memcmp ( (a) ->m_RawData, (b) , sizeof (b) ) — 0) 

// Constants 

// The compiler emits bloated code for aggregate constants (e.g., arrays 
// or structures) in function scope. 

const char * ps zValidSigners [ ] = { "Zone Labs, Inc" 



, "AT&T" 

, "Computer Associates International" 

, "BigPlanet" 

, "NuSkin International" 

, "Check Point Software Technologies Ltd." 

, "Fiberlink Communications" 

, "Funk Software, Inc." 

} ; 

const int nbrValidSigners = elementsof ( ps zValidSigners ) ; 
const WCHAR * pwszValidSigners [ ] = { L"AT&T" 

, L"Computer Associates International" 

, L"Fiberlink Communications" 

, L"Funk Software, Inc." 

} ; 

const int nbrValidUniSigners = elementsof ( pwszValidSigners) ; 
const BYTE bPKCS7SignedData [ ] // 1.2.840.113549.1.7.2 

= { 0x2A, 0x86, 0x48, 0x86, 0xF7, OxOD, 0x01, 0x07, 0x02} 
, bSPCIndirectDataObjID [] // 1.3.6.1.4.1.311.2.1.4 

= { 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0 

4} 

, bO I D_ORGAN I Z AT I ON_NAME [ ] // 2.5.4.10 

= { 0x55, 0x04, 0x0a} 

} 

// Global data 

// Because of this variable, Certificates .cpp' s static initializer must 
// run before ours does. 

extern HMODULE hmodCrypt32 ; // does not exist in base OS 

R2 

// Local functions 

static PBYTE ComputeMessageDigest ( const BYTE * pbFile) ; 

static bool GetSignature ( const BYTE * pbMod, CASNlBERNode * pNodeTop) ; 
static bool I sThisCert SignedByAFriend ( const CASNlBERNode * pNodeCert) ; 
static CASNlBERNode * newCASNlBERNode ( ) ; 

static LONG OneASNlBERLevel ( CASNlBERNode * pNodeParent 

, const BYTE * pbStart 
, LONG lBytesLeft 

) ; 

static void cdecl TerminateValidatePEFile ( ) ; 

/* function Init iali ze ValidatePEFile : 
Static object initialization 

Prepare data structures for module validation. 

This function is called from the carefully sequenced static object 
initialization in VSInit.cpp. 

*/ 

bool InitializeValidatePEFile ( ) 
{ 

// if OSR2 and IE < 4.0, there is nothing to do 

if ( hmodCrypt32 == 0) 
return true ; 

// specify the termination function 

atexit ( TerminateValidatePEFile) ; 

// successful return 

return true ; 
} // InitializeValidatePEFile 
/* function I sPEFileValid : 
As it says 

This function is exported. 

*/ 

bool WINAPI IsPEFileValid ( const char *ps zFileName, DWORD dwLogFlag) 
{ 

return I sPEFileValidEx (ps zFi leName , dwLogFlag, PEFV_VALIDATES IGNER) ; 
} // IsPEFileValid 
/* function I sPEFileValidEx : 

MSH extension to allow for a WinVerif yTrust alternative 

*/ 

bool IsPEHFileValidEx ( HANDLE hFile, DWORD dwLogFlag, DWORD dwOptFlags) 
{ 

// set error logging flags for this thread 



EnableSecureErrorLogging ( dwLogFlag) ; 

// variables we may use in the finally clause 

bool fValid = false ; // assume the worst 

HANDLE hMap = 0; 

PVOID pFileData = 0 ; 

HCRYPTMSG hCrMsg = 0 ; 

CASNlBERNode * pNodeTop = 0 ; 

PBYTE pbDigestComputed = 0 ; 

HCERTSTORE hStoreMsg = 0 ; 

try { // try / finally 

if ( hFile == I NVAL I D_HANDLE_VALUE ) { 

LogSecError( "%u %d", E RROR_S ECURE OP EN_F I LE , GetLastError ( ) ) ; 

return false ; // error return 

} 

// get the file size 

const LONG ORCA_FILE_SIZE = 1 << 24 ; / / 1 6 MB 
LONG ISizeFile = GetFileSize ( hFile, 0) ; 

if ( ISizeFile <= 0 | | ISizeFile > ORCA_FILE_SIZE) { 

LogSecError( "%u %d", ERROR_SECURE_ORCA_F ILE , ISizeFile) ; 
return false ; 

} 

// create a mapping 

hMap = CreateFileMapping ( hFile 

,0 //no security 

, PAGE READONLY 

, 0 // entire file 

, 0 // entire file 

,0 // unnamed 

) ; 

if ( hMap ==0) { 

LogSecError ( "%u %d", ERROR_SECURE_MAP FILE , GetLastError () ) ; 

return false ; 

} 

// create a view 

pFileData = MapViewOf File ( hMap 

, F I LE_MAP_READ 

, 0 // start view at file start 

, 0 // start view at file start 

,0 // view the entire file 



) 



if ( pFileData == 0) { 

LogSecError( "%u %d", ERROR_SECURE_VIEWFILEMAP , GetLastError () ) 
return false ; 

I 

// find the signature 

// We can't allocate pNodeTop on the stack, since that would 
// conflict with the use of SEH in this function. 
PBYTE pbFileData = PBYTE ( pFileData) ; 
pNodeTop = newCASNlBERNode ( ) ; 
if ( pNodeTop ==0) { 

LogSecError ( "%u", ERROR_SECURE_NO_ASNl_NODE ) ; 

return false ; 

I 

if ( GetSignature ( pbFileData, pNodeTop) == false) { 

LogSecError ( "%u", ERROR_S ECURE NO S IGNATURE ) ; 

return false ; 

} 

// compute the message digest 

pbDigestComputed = ComputeMessageDigest ( pbFileData) ; 
if ( pbDigestComputed == 0) { 

LogSecError ( "%u", ERROR_SECURE_COMPUTE_ME S S AGE_D I GE S T ) ; 

return false ; 

} 

const DWORD dwSizeDigest 

= HeapSize ( GetProcessHeap ( ) , 0, pbDigestComputed) ; 
// We start with the validation functions we can perform on Win95 
// OSR2 without IE 4.x or even the Authenticode 2.0 update. 
// find the unencrypted digest and the first certificate 



CASNlBERNode * pNodeCert 
, * pNodeDgst 
} 

try { // try / except 

// find the PKCS-7 signed data 

// Documentation is available at 

/ / http : / /www .rsasecurity. com/rsalabs /pkcs . 

CASNlBERNode * pNodeFind ; 

for ( pNodeFind = pNodeTop->m_FirstChild 

; pNodeFind != 0 && ! IsOID ( pNodeFind, bPKCS7SignedData) 
; pNodeFind = pNodeFind->m_Next Sibling 
) { 

} // loop until we find the PKCS-7 signed data 
// skip some nodes 

pNodeFind = pNodeFind->m_Next Sibling ;// data comes after the OID 
do { 

pNodeFind = pNodeFind->m_FirstChild ; 

} while ( pNodeFind->m_RawTag != ASN TYPE_INTEGER) ;// version 

pNodeFind = pNodeFind->m_Next Sibling ;// digest algorithms 

pNodeFind = pNodeFind->m_Next Sibling ;// content information 

// take a detour to find the unencrypted digest 

pNodeDgst = pNodeFind->m_FirstChild ; 

if ( ! IsOID ( pNodeDgst, bSPCIndirectDat aOb j ID ) ) { 

LogSecError ( "%u", ERROR_SECURE_NO_UNENCRYP TED_D I GE S T ) ; 

return false ; 

} 

pNodeDgst = pNodeDgst->m_Next Sibling ; 

pNodeDgst = pNodeDgst->m_FirstChild ; 

pNodeDgst = pNodeDgst->m_FirstChild ; 

pNodeDgst = pNodeDgst->m_Next Sibling ; 

pNodeDgst = pNodeDgst->m_FirstChild ; 

pNodeDgst = pNodeDgst->m_Next Sibling ; 

/ / back to finding the first certificate 

pNodeFind = pNodeFind->m_Next Sibling ;// certificates 

pNodeFind = pNodeFind->m_FirstChild ; 

pNodeCert = pNodeFind ; 

if ( pNodeCert ==0) { 

LogSecError ( "%u", ERROR_SECURE_NO_CERTS_IN_S IG) ; 

return false ; 

} 

} // try 

except ( Def aultExcept ionFilterEx ( GetExcept ionlnf ormat ion ( ) ) ) { 

LogSecError ( "%u", ERROR_SECURE PARSE_CERT 1 ) ; 

return false ; 

} 

// validate the signer's organization name 

// We look in all certificates. We assume the Zone Labs certi- 

// ficate has our company name in the first subject field. 

// OEM clients using the secure API must have a valid signature 

// that includes a Zone Labs certificate. 

CASNlBERNode * pNodeSign; 
if ( dwOptFlags & PEFV_VALIDATES IGNER) 
{ 

bool f SignedByAFriend ; 
for ( f SignedByAFriend = false 
, pNodeSign = pNodeCert 
; f SignedByAFriend == false 

&& pNodeSign != 0 
; f SignedByAFriend = IsThisCertSignedByAFriend ( pNodeSign) 

, pNodeSign = pNodeSign->m_Next Sibling 
) { 

} // check certificates until we find a Zone signature 
if ( f SignedByAFriend == false) { 

LogSecError ( "%u", ERROR_SECURE_NO_ZONE_S IG) ; 

return false ; 

I 

} 

else 



pNodeSign = pNodeCert; 

// validate the unencrypted message digest 
// In Win95 0SR2, dwSizeDigest ranges from 16-20. 
if ( dwSizeDigest < pNodeDgst->m_Length 
I | memcmp ( pbDigestComputed 

, pNodeDgst->m_RawData 
, pNodeDgst->m_Length 
) != 0) { 

LogSecError ( "%u", ERROR_SECURE_DIGEST_MI SMATCH) ; 

return false ; 
} // if the unencrypted digest does not match 
// this is as far as we can go in OSR2 with IE < 4.0 
if ( hmodCrypt32 ==0) { 

fValid = true ; 

return true ; 

} 

// create a crypto message object 

hCrMsg = CryptMsgOpenToDecode ( X5 0 9_ASN_ENCODING | PKCS_7_ASN_ENCODI 

NG 

,0 // dwFlags 

,0 // dwMsgType 

, 0 // use default crypto provid 

er 

, 0 // pRecipient Inf o 

, 0 // pStreamlnfo 

) ; 

if ( hCrMsg ==0) { 

LogSecError ( "%u %d", ERROR_SECURE_MSGOPENTODECODE, GetLastError ( ) 

) ; 

return false ; 

} 

// add the data to the crypto object 
if ( CryptMsgUpdate ( hCrMsg 

, pNodeTop->m_RawData 

, pNodeTop->m_Length + pNodeTop->m_LenHdr 
, TRUE // final update 

) == FALSE) { 

LogSecError ( "%u %d", ERROR_SECURE_CRYPTMS GUP DATE, GetLastError () ) 

r 

return false ; 

} 

// validate the signature 

if ( CryptMsgGetAndVerifySigner ( hCrMsg, 0, 0, 0, 0, 0) == FALSE) { 
LogSecError ( "%u %d", ERROR_SECURE S IG_VAL FAILED, GetLastError () ) 

} 

return false ; 

I 

// get a certificate store for this data 

hStoreMsg = CertOpenStore ( CERT_STORE_PROV_MSG 

, X5 0 9_ASN_ENCODING | PKCS_7_ASN_ENCODING 
,0 // default cryptographic pro 

vider 

, CERT STORE_NO CRYPT_RE LEASE FLAG 

, hCrMsg 

) ; 

if ( hStoreMsg == 0) { 

LogSecError( "%u %d", ERROR_SECURE CERTOPENSTORE, GetLastError () ) 

} 

return false ; 

} 

// validate each certificate 

for ( ; pNodeCert != 0 ; pNodeCert = pNodeCert->m_Next Sibling) { 
if ( IsCertValidlnAnyStore ( pNodeCert->m_RawData 

, pNodeCert->m_Length + pNodeCert->m_Len 

Hdr 

, hStoreMsg 

) == false) { 

LogSecError ( "%u", E RRO R_ S E CURE C E R T I N V_ I N_AL L S T O RE S ) ; 



} 



return false ; 



} // loop once for each certificate 
// successful validation 
fValid = true ; 

I // try 

finally { 

// release resources 
if ( hStoreMsg != 0) 

CertCloseStore ( hStoreMsg, 0) ; 
if ( pNodeTop != 0) 

delete pNodeTop ; 
if ( hCrMsg != 0) 

CryptMsgClose ( hCrMsg) ; 
if ( pbDigestComputed != 0) 

HeapFree ( GetProcessHeap () , 0, pbDigestComputed) ; 
if ( pFileData != 0) 

UnmapViewOf File ( pFileData) ; 
if ( hMap != 0) 

CloseHandle ( hMap) ; 
if ( hFile != I NVAL I D_HAND LE_VALUE ) 

CloseHandle ( hFile) ; 
// ensure error logging is enabled in case other functions call it 
EnableSecureErrorLogging ( SAP I_LOG_TVDEBUG) ; 
} // finally 

// only a successful validation reaches here 

return fValid ; // return to the caller 

} // IsPEHFileValidEx 
/* function I sPEFile ValidEx : 

MSH extension to allow for a WinVerif yTrust alternative 

*/ 

bool WINAPI IsPEFileValidEx ( const char *pszFileName, DWORD dwLogFlag, D 
WORD dwOpt Flags) 
{ 



bool fValid = false ; 

HANDLE hFile = I NVAL I D_HANDLE_VALUE ; 
// open the file 

hFile = CreateFile ( pszFileName 

, GENERIC READ 

, F I LE S HARE_RE AD 

, 0 



// assume the worst 



| F I LE S H ARE_WR I T E 



// 
// 



no security 
the file must exist 



, OPEN_EXISTING 

, F I LE_AT TRI BUTE NORMAL 

, 0 

) ; //no template 

fValid = IsPEHFileValidEx (hFile, dwLogFlag, dwOptFlags); 
// set error logging flags for this thread 
EnableSecureErrorLogging ( dwLogFlag) ; 
if ( fValid == false) { 
LogSecError ( "%u %s", ERROR_S ECURE_FAI LED_VAL I DAT I ON, pszFileName) ; 

} 

// ensure error logging is enabled in case other functions call it 
EnableSecureErrorLogging ( SAP I_LOG_TVDEBUG) ; 
return fValid ; 
} // IsPEFileValidEx 
/* function I sPEFileValidExW : 

MSH extension to allow for a WinVerif yTrust alternative 

*/ 

bool WINAPI IsPEFileValidExW ( const WCHAR *ps zFileName, DWORD dwLogFlag, 
DWORD dwOptFlags) 

{ 



bool fValid = false ; 

HANDLE hFile = I NVAL I D_HANDLE_VALUE ; 
// open the file 

hFile = CreateFileW( pszFileName 

, GENERIC_READ 

, F I LE S HARE_RE AD 

, 0 



// assume the worst 



F I LE_SHARE_WRI TE 
// no security 



, OPEN_EXISTING // the file must exist 

, F I LE_AT TRI BUTE NORMAL 

, 0 

) ; //no template 

fValid = IsPEHFileValidEx (hFile, dwLogFlag, dwOptFlags) ; 
// set error logging flags for this thread 
EnableSecureErrorLogging ( dwLogFlag) ; 
if ( fValid — false) { 
LogSecError ( "%u %S", ERROR_SECURE_FAI LED_VAL I DAT I ON, pszFileName) ; 

} 

// ensure error logging is enabled in case other functions call it 
EnableSecureErrorLogging ( SAP I_LOG_TVDEBUG) ; 
return fValid ; 
} // IsPEFileValidExW 

// All functions below are private to this file 
/* function ComputeMessageDigest : 

Hash the PE file contents just like WinVerif yTrust does 
The caller must call HeapFree to free the returned buffer. 
The Crypto APIs used here are in ADVAPI32, available even in Win95 
0SR2 . If we don't like calling them, we can instead use the source 
code in MD 5 C . c (search the source tree) . 

*/ 

static PBYTE ComputeMessageDigest ( const BYTE * pbFile) 
{ 

// get the ranges to hash 

// We assume the file structure has already been validated, so that 
// these accesses will not fault. 

P IMAGE DOS HEADER pHdrDOS = P IMAGE_DOS HEADER ( pbFile) ; 

P IMAGE NT HEADERS 3 2 pHdrNT 

= PIMAGE_NT HEADERS 3 2 ( pbFile + pHdrDOS->e_l f anew) ; 

P IMAGE D AT A_D I RECTORY plmCert 

= &pHdrNT->Opt ionalHeader . Dat aDirect ory [ IMAGE_D I RECTORY ENTRY SECUR 

ITY] ; 

DWORD dwSl = 0 

, dwEl = PBYTE ( &pHdrNT->Opt ionalHeader .Checksum) - pbFile 
, dwS2 = dwEl + sizeof ( DWORD) 

, dwE2 = PBYTE ( &pHdrNT->Opt ionalHeader . Dat aDirect ory [ I MAGE_D I RE C 
TORY_ENTRY_SECURITY] ) 

- pbFile 

, dwS3 = PBYTE ( &pHdrNT->Opt ionalHeader . Dat aDirect ory [ I MAGE_D I RE C 
TORY ENTRY_SECURITY + 1]) 

- pbFile 

, dwE3 = pImCert->VirtualAddress 

r 

// hash the file's contents 
HCRYPTPROV hProv = 0 ; 
HCRYPTHASH hHash = 0 ; 
PBYTE pbDigest ; 

try { // try / finally 

// initialize 

if ( CryptAcquireContext ( &hProv 

,0 
, 0 

, PROV_RSA_FULL 

, CRYPT_VERIFYCONTEXT 

) == FALSE) { 

LogSecError ( "%u %X", ERROR_SECURE CRYP T_ACQU I RE_CONTEXT , GetLastE 

rror ( ) ) ; 

return 0 ; 
} // if CryptAcquireContext failed 

if ( CryptCreateHash ( hProv // default provider 

, CALG_MD5 

,0 / / non-keyed algorithm 

, 0 // dwFlags, must be zero 

, &hHash // handle goes here 

) == FALSE) { 

LogSecError ( "%u %X", ERROR_SECURE CRYPT CREATE HASH, GetLastError 

0 ) ; 



return 0 ; 
} // if CryptCreateHash failed 
// add the three data pieces 

if ( CryptHashData ( hHash, pbFile + dwSl, dwEl - dwSl, 0) == FALSE) 

{ 

LogSecError ( "%u %X", ERROR_SECURE_CRYPT_HASH_DATA_l , GetLastError 

() ) ; 

return 0 ; 

} 

if ( CryptHashData ( hHash, pbFile + dwS2, dwE2 - dwS2, 0) == FALSE) 

{ 

LogSecError ( "%u %X", ERROR_SECURE CRYPT HASH DATA_2 , GetLastError 

0 ) ; 

return 0 ; 

} 

if ( CryptHashData ( hHash, pbFile + dwS3, dwE3 - dwS3, 0) == FALSE) 

{ 

LogSecError ( "%u %X", ERROR_SECURE CRYPT HASH DATA_3 , GetLastError 

0 ) ; 

return 0 ; 

I 

// get the hash result 
DWORD dwHashSize 

, dwDataLength = sizeof ( DWORD) 

r 

if ( CryptGetHashParam ( hHash 

, HP_HASHSIZE 

, PBYTE ( &dwHashSize) 

, &dwDataLength 

, 0 

) == FALSE) { 

LogSecError ( "%u %X", E RRO R_S ECU RE C R Y P T GE T_H A S H P ARAM_ 1 , GetLast 

Error ( ) ) ; 

return 0 ; 
} // if CryptGetHashParam failed 

pbDigest = PBYTE ( HeapAlloc ( GetProcessHeap ( ) , 0, dwHashSize) ) ; 
if ( pbDigest ==0) { 

LogSecError ( "%u %X", ERROR_SECURE_CRYPT_HEAP_ALLOC, dwHashSize) ; 

return 0 ; 

I 

dwDataLength = dwHashSize ; 
if ( CryptGetHashParam ( hHash 

, HP HAS HVAL 

, pbDigest 

, &dwDataLength 

, 0 

) == FALSE) { 

LogSecError ( "%u %X", E RRO R_S ECU RE C R Y P T GE T_H A S H P ARAM_2 , GetLast 

Error ( ) ) ; 

HeapFree ( GetProcessHeap () , 0, pbDigest) ; 
return 0 ; 
} //if CryptGetHashParam failed 

I // try 

finally { 

if ( hHash != 0) 

CryptDestroyHash ( hHash) ; 
if ( hProv != 0) 

CryptReleaseContext ( hProv, 0) ; 

} // finally 

// successful return 
return pbDigest ; 
} // ComputeMessageDigest 
/* function Get Signature : 

Find the signature in a module's memory image 

*/ 

static bool GetSignature ( const BYTE * pbMod, CASNlBERNode * pNodeTop) 
{ 

// guard the code in case a bogus memory reference causes an access 



// exception 
try { 

// find where the signature is in the module file 

PIMAGE_DOS_HEADER pHdrDOS = P IMAGE_DOS HEADER ( pbMod) ; 

if ( pHdrDOS->e_magic != 'ZM') 

return false ; // error return 

PIMAGE_NT_HEADERS32 pHdrNT 

= PIMAGE_NT_HEADERS32 ( pbMod + pHdrDOS->e_l f anew) ; 
if ( pHdrNT->Signature != ' EP ' ) 

return false ; // error return 
if ( pHdrNT->FileHeader .Machine != IMAGE FILE_MACHINE_I 3 8 6) 

return false ; // error return 
if ( ( pHdrNT->FileHeader .Characteristics & IMAGE F I LE EXECUTABLE IM 

AGE) 

==0) { 

return false ; // error return 

} 

if ( pHdrNT->OptionalHeader .Magic != IMAGE NT OPTIONAL HDR32_MAGIC ) 

return false ; // error return 

PIMAGE_DATA_D I RECTORY plmCert 

= &pHdrNT->Opt ionalHeader . DataDirect ory [ I MAGE_D I RE C T ORY_EN T RY_S E C 
URITY] ; 

// point to the signature data 
LPWIN_CERTIFICATE pCert 

= LPWIN_CERTIFICATE ( pbMod + pImCert->VirtualAddress ) ; 
// validate the size field 
if ( pCert->dwLength != pImCert->Size) 

return false ; // error return 

// validate the certificate type, since our direct validation 
// assumes PKCS-7 

if ( pCert->wCertif icateType != WIN CERT TYPE PKCS_S IGNED_DATA) 

return false ; 

// parse the ASN.l BER structure to simplify subsequent navigation 
// and to partially validate it 

// The length in the WIN_CERTIFICATE structure appears to be 
// rounded up to a multiple of 8. 
PBYTE pbSig = &pCert->bCert if icate [ 0] ; 
LONG lBytesProcessed 

= OneASNlBERLevel ( pNodeTop 
, pbSig 

, pCert->dwLength 

- FIELD_OFFSET ( WIN_CERT IF ICATE , bCert i f icate ) 

) ; 

if ( Roundup ( lBytesProcessed 

+ FIELD OFFSET ( WIN CERTIFICATE, bCert i f icate ) 

, 8 

) != LONG ( pCert->dwLength) ) {// if the lengths are not 

right 

return false ; 

I 

// successful return 
return true ; 
I // try 

except ( Def aultExcept ionFilterEx ( GetExcept ionlnf ormat ion ( ) ) ) { 

LogSecError( "%u", ERROR_SECURE GET S IG_FAULT ) ; 

return false ; // error return 

} // except 

} // Get Signature 

/* function IsThisCert SignedByAFriend : 

Is this certificate's signer known to us 

Our technique works with certificates for both Zone and AT&T. Both 
were issued by Verisign. We could be even stricter, by validating 
the order of the subject fields, since these agree in the two 
certificates and may be standard in certificates issued by Verisign. 

The try / except block catches any wildly different structures, 

but developers may complain if this exception drops them into the 
debugger. So we will attempt to avoid known problems, provided 
this does not overly clutter up the code. 



Before the list of valid signers grows too big, we hope to 
migrate to Verisign's Authenticated Content Signing technology, 
which will allow us to test for a Zone Labs Publisher ID 
certificate instead of each OEM's name. 

*/ 

static bool I sThisCert SignedByAFriend ( const CASNlBERNode * pNodeCert) 
{ 



CASNlBERNode * pNodeOrga ; 
try { 

pNodeOrga = pNodeCert->m_FirstChild ; 
if ( pNodeOrga->m_NbrChildren != 8) 
cert 

return false ; 
pNodeOrga = pNodeOrga->m_FirstChild ; 
pNodeOrga = pNodeOrga->m_Next Sibling 
pNodeOrga = pNodeOrga->m_Next Sibling 

thm 



// try / except 

// if not the same as a Zone 

// we are done 

// version 

// serial number 

// issuer's signature algori 

// 



issuer 
// validity 
// subject 

// first subject field 



pNodeOrga = pNodeOrga->m_Next Sibling 
pNodeOrga = pNodeOrga->m_Next Sibling 
pNodeOrga = pNodeOrga->m_Next Sibling 
pNodeOrga = pNodeOrga->m_FirstChild ; 
for ( ; pNodeOrga != 0 ; pNodeOrga = pNodeOrga->m_Next Sibling) { 
CASNlBERNode * pNodeFind ; 

pNodeFind = pNodeOrga->m_FirstChild ; // sequence 

pNodeFind = pNodeFind->m_FirstChild ; // OID 

if ( IsOID( pNodeFind, bOID ORGANIZATION NAME) ) { 

pNodeOrga = pNodeFind->m_Next Sibling ; 

break ; 

} // if we found the organization name 
} // search the siblings 
if ( pNodeOrga == 0) 

return false ; 
// validate the organization name we found 
int ndxValidSigner ; 
for ( ndxValidSigner = 0 

; ndxValidSigner < nbrValidSigners 

; ndxValidSigner++ 

) { 

DWORD dwSizeStr = strlen ( pszValidSigners [ ndxValidSigner]) ; 
if ( pNodeOrga->m_Length != dwSizeStr) 

continue ; 
if ( memcmp ( pNodeOrga->m_RawDat a 

, pszValidSigners [ ndxValidSigner] 

, dwSizeStr 

) == 0) { 

break ; 

a match 

} // if we found a match 
} // loop until we find a valid signer 
if ( ndxValidSigner >= nbrValidSigners) 



// stop looking if we found 



{// if no valid signer foun 



a match 



for ( ndxValidSigner = 0 

; ndxValidSigner < nbrValidUniSigners 
; ndxValidSigner++ 
) { 

DWORD dwSizeStr = wcslen ( pws zValidSigners [ ndxValidSigner]) ; 
if ( pNodeOrga->m_Length != dwSizeStr * sizeof ( WCHAR) ) 

continue ; 
if ( memcmp ( pNodeOrga->m_RawDat a 

, pws zValidSigners [ ndxValidSigner] 

, pNodeOrga->m_Length 

) == 0) { 

break ; // stop looking if we found 



} 



} // if we found a match 
// loop until we find a valid signer 



und 



if ( ndxValidSigner >= nbrValidUniSigners) // if no valid signer fo 



return false ; // error return 

} // if no valid ASCII signers 
} // try 

except ( Def aultExcept ionFilterEx ( GetExcept ionlnf ormation ( ) ) ) { 

LogSecError ( "%u", ERR0R_SECURE_PARSE_CERT_2 ) ; 
return false ; 

I 

// successful return 

return true ; 
} // IsThisCertSignedByAFriend 
/* function newCASNlBERNode : 
Construct a new node 

This hokey function avoids compiler error C2712 when we compile with 
the -GX option. We don't need -GX currently (Oct2002), but perhaps 
we will in the future. 

*/ 

static CASNlBERNode * newCASNlBERNode ( ) 
{ 

return new CASNlBERNode ; 
} // newCASNlBERNode 
/* function OneASNlBERLevel : 

Format one level of the ASN.l BER data 
This function calls itself recursively. 

*/ 

static LONG OneASNlBERLevel ( CASNlBERNode * pNodeThis 

, const BYTE * pbStart 
, LONG lBytesLeft 
) 

{ 

// decide how far to go 

const BYTE * pbEnd = pbStart + lBytesLeft ; 

// guard this code, in case we fall off the end 

PBYTE pbData = PBYTE ( pbStart) ; 

while ( pbData < pbEnd) { 

try { 

// quit if no more data 

if ( pNodeThis->m_Parent — 0 && *pbData — 0) 

return LONG ( pbData - pbStart) ; // number of bytes processed 

// create a sibling node if this is not the first iteration 
if ( pNodeThis->m_RawData != 0) { 

// We chain the node as soon as possible, to ensure it is found 

// during the destruction loop. 

CASNlBERNode * pNodeSibling = newCASNlBERNode ( ) ; 
if ( pNodeSibling == 0) 

return 0 ; // error return 

pNodeSibling->m_Parent = pNodeThis->m_Parent ; 

pNodeSibling->m_Parent->m_NbrChildren++ ;// count another child 
pNodeThis->m_Next Sibling = pNodeSibling ; 
pNodeThis = pNodeSibling ; // age the pointer 

} // if not the first iteration 

// point to the tag, will overwrite for a primitive field 

pNodeThis->m_RawData = pbData ; 

// get the low tag byte 

BYTE bData = *pbData++ ; 

pNodeThis->m_RawTag = bData ; 

bool f Primitive = ( bData & 0x20) == 0 ; 

bool f Universal = ( bData & OxcO) == 0 ; 

// get the tag 

DWORD dwTag = bData & 0x1 f ; 

if ( dwTag == 31) { // if a high tag number 

dwTag = 0 ; // reset the tag value 

do { 

bData = *pbData++ ; // get next tag byte 

dwTag = ( dwTag * 128) + ( bData & 0x7f) ;// ignore overflow f 

or now 

} while ( ( bData & 0x80) != 0) ; 
} // if a high tag number 
pNodeThis->m_Tag = dwTag ; 



// get the length, if this is fixed length 
// Open: Add support for variable length fields 
bData = *pbData++ ; // 
DWORD dwLength = bData ; 

if ( dwLength > 127) { // 
DWORD nbrBytes = dwLength - 12 8 ; 
dwLength = 0 ; // 
DWORD ndxByte ; 

for ( ndxByte = 0 ; ndxByte < nbrBytes 
bData = *pbData++ ; // 



get first length byte 
if long form 
reset the length 



dwLength = ( dwLength * 2 56) + bData 



; ndxByte++) { 
get next length byte 
;// ignore overflow for 



pNodeThis->m_RawData 
if a constructed type 



< dwLength) 

// error if length is bogus 



#if 0 



} // loop once for each length byte 
} // if long form 
pNodeThis->m_Length = dwLength 
pNodeThis->m_LenHdr = pbData - 
// call ourselves recursively 
if ( fPrimitive == false) { 

// describe this tag 

if ( DWORD ( pbEnd - pbData) 
return 0 ; 

// create a child node 

// We chain the node as soon as possible, to ensure it is found 

// during the destruction loop. 

CASNlBERNode * pNodeChild = newCASNlBERNode ( ) ; 
if ( pNodeChild == 0) 

return 0 ; 
pNodeThis->m_NbrChildren = 1 ; 
pNodeChild->m_Parent = pNodeThis ; 
pNodeThis->m_FirstChild = pNodeChild ; 
// process the child node 
DWORD dwBytesProcessed 

= OneASNlBERLevel ( pNodeChild, pbData, dwLength) ; 



// 24Dec2003: CA's certificate shows a 
// ASN_TYPE_NULL can have length zero. 



if ( dwBytesProcessed == 0) 
return 0 ; 



// 
// 



ds 

tendif 



data type other than 
if an error 

propagate the error upwar 



data 



pbData += dwBytesProcessed ; 

} // if a constructed type 

else { 

// report the tag 

if ( DWORD ( pbEnd - pbData) < 

return 0 ; 
// advance past the primitive 
pNodeThis->m_RawData = pbData 
PBYTE pbField = pbData ; 



// if a primitive type 

dwLength) 

// error return if overflow 

field 

r 

I / in case we can format the 



for the null type 
dwTag == ASN_TYPE NULL ) 

for an OID field 
dwTag == ASN_TYPE_OID) 



pbData += dwLength 
// special handling 
if ( fUniversal && 

continue ; 
// special handling 

if ( fUniversal && dwTag == ASN_TYPE_OID ) { 
DWORD dwNode = 0 ; 
while ( ++pbField < pbData) { 

dwNode += *pbField & 0x7 f ; // 
if ( ( *pbField & 0x80) != 0) // 
dwNode *= 12 8 ; // 
else // 
dwNode = 0 ; // 
} // loop for all remaining OID bytes 

if ( dwNode != 0) // if an incomplete OID 

return 0 ; // error return 

} // if an OID field 
// if a primitive field 



add the new mod 12 8 digit 
if more digits 
shift everything over 
if the last digit 
reset the total 



} // try 

except ( Def aultExcept ionFilterEx ( GetExcept ionlnf ormat ion ( ) ) ) { 

// buffer overrun 
return 0 ; 

} // except 

} // loop while input bytes remain 
// successful return 

return LONG ( pbData - pbStart) ; // number of bytes processed 

} // OneASNlBERLevel 

/* function TerminateValidatePEFile : 
Static object destruction 
Avoid memory leaks. 

*/ 

static void cdecl TerminateValidatePEFile ( ) 

{ 

// nothing to do yet 
} // TerminateValidatePEFile 
/* function CASNlBERNode : : CASNlBERNode : 
Constructor 

*/ 

CASNlBERNode : : CASNlBERNode ( ) 

: m_Next Sibling ( 0) 

, m_FirstChild ( 0) 

, m_Parent ( 0 ) 

, m_Length ( 0 ) 

, m_LenHdr ( 0 ) 

, m_RawData( 0) 

, m_Tag ( 0) 

, m_RawTag ( 0) 

, m_NbrChildren ( 0) 

I 

} // CASNlBERNode: : CASNlBERNode 
/* function CASNlBERNode :: -CASNlBERNode : 
Destructor 

*/ 

CASNlBERNode : : -CASNlBERNode ( ) 
{ 

// delete children first, siblings second 
if ( m_FirstChild != 0) 

delete m_FirstChild ; 
if ( m_NextSibling != 0) 

delete m_Next Sibling ; 
} // CASNlBERNode: : -CASNlBERNode 



